Companies House WebFiling Glitch Exposes Five Million UK Companies to Fraud
A simple browser back-button flaw in the UK's Companies House WebFiling portal let authenticated users view and modify registration details of any of five million companies, exposing directors' emails and dates of birth to potential fraud.
The UK's Companies House has suspended its WebFiling dashboard after a critical security glitch was discovered that allowed any authenticated user to access and modify the registration details of any of the five million companies registered with the agency. The flaw, reported by Dan Neidle of Tax Policy Associates and brought to his attention by John Hewitt of Ghost Mail, was remarkably simple to exploit: after logging in and selecting 'file for another company's number, users were prompted for an authentication code they did not have. Pressing the browser's back button a few times returned them not to their own dashboard, but to the target company's dashboard, granting full access to sensitive data and filing capabilities.
The vulnerability exposed directors' email addresses and dates of birth — information that could be weaponized in targeted phishing campaigns. Even more alarming, attackers could modify registration details such as addresses and officer names without the legitimate company receiving any notification. Neidle demonstrated this by having Hewitt change details on Neidle's own company; the confirmation email was sent to Hewitt, not Neidle. This means a victim company would have no warning that its records had been tampered with until it was too late.
Criminals could exploit the glitch to change a company's registered address and officers, then use those altered credentials to open bank accounts or apply for loans in the company's name. Small businesses with fewer internal safeguards are particularly vulnerable to this kind of identity theft. The flaw essentially unlimited access to personal data also raises serious GDPR compliance questions for Companies House, which holds data on millions of directors.
Companies House took the WebFiling dashboard offline on Friday after being notified by Neidle. The agency has not yet confirmed how long the vulnerability existed, whether any modifications were actually made via the glitch, or if its audit logs can track which accounts accessed unrelated companies' dashboards. Neidle noted that standard logging should allow retrospective investigation to identify affected organizations.
Directors are urged to immediately check their Companies House registration data — both public and non-public information — for any unauthorized changes. The incident highlights the risks inherent risk of centralized government databases holding sensitive corporate and personal information, especially when web application logic fails to enforce basic authorization checks. This is not the first time Companies House has faced scrutiny over its security practices; earlier concerns were raised about the agency's ID verification processes.
The glitch serves as a stark reminder that even simple browser behavior can bypass authentication controls if session management is not properly implemented. Until Companies House completes its investigation and reopens the dashboard with fixes, directors should remain vigilant and monitor their company records for signs of tampering.