Privacy and Security Flaw with CAB

The Citizens' Advice Bureaux have just released a real-time view of what people are searching for on its site. It's heartbreaking.

Tom Loosemore

@tomskitomski

Interesting new digital stuff emerging from @CitizensAdvice display-screen.cab-alpha.org.uk <-- uncomfortable, messy, visceral reality @mikedixonCAB

---

who supplies my electricity
why do some children become looked after
will i get back pay on pip

Terence Eden is on Mastodon

@edent

Just saw "What is the punishment in the UK if you steal a person's life savings"
display-screen.cab-alpha.org.uk

---

James Temperton

@jtemperton

Replying to @edent@edent Searches are like a series of tragic micro-stories. "hidden camera in the workplace", "when can i claim income support im pregnant"

---

It was, sadly, deeply insecure.

It's falling foul of one of the most basic security flaws. It blindly echoes a user's input without checking or sanitising it.

There's another potential flaw here. Privacy. Hopefully no one is dumb enough to type in their full name, address, or National Insurance number.

We've know for years that it's possible to reconstruct Personally Identifiable Information from "anonymous" searches.

Can a malicious user look at the searches and identify you? How specific is your issue?

Ask yourself this - how comfortable would you be with every single search you make being projected onto the side of a building?

---

A few minutes after reporting this, the security flaw was fixed.