Responsible Disclosure - Citizens Advice Bureaux


A quick report into a nasty privacy vulnerability I found with the CAB. Unusually for me, this has no Internet component.

Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses.

I called, and was put on hold, then asked to leave a message. There's a popular myth that you can trick phone systems to sending your call to the operator if you hold down the zero button.

So I rang back...

"Please hold while we try to connect you..."

*presses the 0 key*

"You have... two... unread messages. To listen to your messages, press 1. To change your mailbox greeting, press 2...."

I hung up quickly. This was a service which deals with potentially vulnerable witnesses. An attacker could ring the CAB Court Volunteers, and listen to the voicemails.

This is not a theoretical attack. This is exactly how the Phone Hacking Scandal worked. Playing back voicemails without permission - thanks to a lack of PIN protection.

I eventually got through to someone at CAB to report the problem - they also gave me details of someone I could email.

2018-07-12 - I send a detailed report.

2018-08-02 - I received confirmation that it had been fixed.

On receiving your email from my colleague, I contacted [the] Operations Manager for the Witness Service, who immediately escalated this. I also called the Uxbridge Witness Service contact number and confirmed that it also allowed me to follow options and access voicemails, however I noted that the 2 voicemails did not include any actual messages, there was some background noise and at the end of the messages the phone receiver is heard clicking indicating the call had been ended, on both messages.

On the 13/07/2018, we had a nationwide action for all Team Leaders to check voicemails for the Court contact number mailboxes, to confirm that they are secure with a pin code access. This action enabled us to be sure that each mailbox was secure and accessible only via a pin code, this was recorded and shared with Management so that we could ensure that each court had been verified. Our IT team was also involved in helping check some sites remotely and assist Team Leaders where they were experiencing difficulties.

Action was taken immediately to firstly check other Court mailboxes to ensure they too were not accessible, and where it was found that the voicemails were not secure, pin codes were immediately requested from IT or set up where this was possible.

I would like to thank you for taking the time to inform us of your experience as it enabled us to take swift action and ensure that the phone mailboxes were checked and secured.

An impressively quick response. Great to know that they were able to rapidly respond and fix. I've previously reported problems to the CAB and they take this stuff seriously.

If you have a voicemail system - whether personal or for a business - please make sure that it is adequately secured.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.