A critical flaw in Companies House’s WebFiling service allowed any authenticated user to access or log into other companies’ accounts, potentially exposing non-public director details and enabling unauthorized filings. The bug, introduced in October 2025 and patched after the service was taken offline, could be exploited with a simple “file for another company” flow and a browser back-button trick, and Companies House says it has found no evidence of large-scale extraction and urges firms to check their records #CompaniesHouse #WebFiling
Keypoints
- The WebFiling vulnerability allowed authenticated users to access other companies’ accounts.
- Non-public data for up to five million registered firms, including directors’ DOBs and home addresses, could have been exposed.
- An attacker could change company details and submit unauthorized filings, though existing filed documents could not be altered.
- The exploit required no technical skill—enter a company number, trigger the auth flow, then use the back button.
- The flaw was introduced in October 2025, patched after a service shutdown, and Companies House reports no known large-scale misuse.
Read More: https://www.securityweek.com/uk-companies-house-exposed-details-of-millions-of-firms/