Full Report
Back button blunder in WebFiling service run by Companies House revealed confidential paperwork Companies House was forced to pull down its record-filing platform for the entire weekend to rectify a "security issue" that exposed the personal details of company directors and other data to any logged in users.…
Analysis Summary
# Vulnerability: Companies House WebFiling Information Exposure and Unauthorized Modification
## CVE Details
- **CVE ID**: Not explicitly assigned in the report (Commonly categorized as a Logic Flaw/Broken Access Control).
- **CVSS Score**: Estimated 7.1 (High) - based on unauthorized data access and modification capabilities.
- **CWE**: CWE-285 (Improper Authorization) / CWE-637 (Unintended Re-enabling of Capabilities).
## Affected Systems
- **Products**: Companies House WebFiling service (UK Corporate Registry).
- **Versions**: Platform iterations deployed between October 2025 and March 13, 2026.
- **Configurations**: Any user account logged into the WebFiling platform.
## Vulnerability Description
The flaw was a session management and navigation logic error triggered by browser state changes. When a logged-in user attempted to access another company’s account (which they did not own), the system correctly blocked initial access. However, by manually navigating using the browser’s "Back" button multiple times, the application failed to re-validate the user's authorization for the previous state. Instead of returning the user to their own dashboard, the system incorrectly granted access to the restricted company's session, exposing non-public data and administrative functions.
## Exploitation
- **Status**: Exploited in the wild (identified by external researchers; investigation ongoing for malicious use).
- **Complexity**: Low (requires only a standard web browser and basic navigation).
- **Attack Vector**: Network (Web-based).
## Impact
- **Confidentiality**: High. Exposed personal details include dates of birth, residential addresses, and private company email addresses.
- **Integrity**: Medium/High. Attackers could perform unauthorized filings, such as changing director details or submitting accounts.
- **Availability**: Low. While the service was taken offline for remediation, the flaw itself did not inherently impact system availability.
## Remediation
### Patches
- **Vendor Fix**: Companies House implemented a server-side logic fix to the WebFiling platform. The service was restored on March 16, 2026, at 09:00 UTC.
### Workarounds
- **Service Suspension**: The system was temporarily taken offline by the vendor between March 13, 13:30 UTC and March 16, 09:00 UTC to prevent further exploitation during the patching window.
## Detection
- **Indicators of Compromise**:
- Audit logs showing unauthorized changes to company directors or registered addresses.
- Unexpected filings or "Account" submissions not initiated by the authorized company secretary.
- **Detection methods and tools**: Companies House is currently conducting an internal investigation to identify irregular access patterns or unauthorized modifications recorded since October 2025.
## References
- **Vendor Statement**: hXXps[://]www[.]gov[.]uk/government/news/update-on-companies-house-webfiling-security-issue
- **Primary Source**: hXXps[://]www[.]theregister[.]com/2026/03/16/companies_house_webfiling_flaw/
- **Researcher PoC**: hXXps[://]x[.]com/DanNeidle/status/2032506756786511908