UK Companies House Vulnerability: API Flaw Exposed Millions of Firms

The UK Companies House registry serves as the critical infrastructure for corporate transparency in the United Kingdom, housing records for millions of businesses. A security flaw recently confirmed by the agency highlights the risks inherent in large-scale government databases. According to SecurityWeek, the vulnerability could have been exploited by unauthorized parties to obtain sensitive company details and, more significantly, alter official records.

Technical Analysis of the API Exposure

The vulnerability was identified as a failure in authorization logic within the Companies House digital interface. Specifically, the flaw resided in the “follow” feature, which allows users to receive updates on specific companies. When interacting with this feature, the system’s API reportedly leaked internal authentication tokens and secrets. This represents a significant Privilege Escalation risk, as an unauthenticated external user could potentially gain the same data access as an internal administrator.

This incident is a textbook example of broken access control. In such scenarios, the application fails to properly validate the identity or permissions of the requester before serving sensitive data. For organizations researching how to detect API data leakage, this case demonstrates that even secondary features—like notification subscriptions—can serve as entry points if they are not integrated into a Zero Trust architecture.

Mitigating Broken Access Control in Web Applications

To prevent unauthorized data exposure, developers must implement rigorous server-side validation. Relying on client-side restrictions is insufficient, as attackers can easily intercept and modify API calls. The SOC should prioritize monitoring for anomalous API traffic patterns, such as an unusual volume of requests to the “follow” or “subscribe” endpoints, which may indicate automated scraping. Integrating these logs into a SIEM can help identify the TTP of an attacker attempting to enumerate company IDs.

Impact on Data Integrity and Corporate Security

The ability for an attacker to “alter records” introduces severe risks to the UK business ecosystem. If a malicious actor can change a company’s registered address or appointment details, they can facilitate corporate identity theft. This information could be leveraged in a sophisticated Phishing campaign, where attackers pose as company directors to divert payments or gain Lateral Movement into partner networks.

There is also the risk of APT groups using this data for reconnaissance. By accessing protected home addresses of directors or sensitive filing history, state-sponsored actors can build comprehensive profiles of targets within the defense, energy, or financial sectors. The exposure of such data undermines the trust required for a transparent regulatory environment.

Recommendations for Organizations

While Companies House has stated the vulnerability is now patched, firms should take proactive steps to ensure their data remains accurate. Addressing the Companies House API security vulnerability requires a multi-layered defense strategy:

• Audit Corporate Filings: Regularly check the Companies House register to ensure all directors, addresses, and persons with significant control (PSC) are correctly listed.
• Enable Protected Online Filing (PROOF): Companies should use the PROOF scheme offered by Companies House, which prevents the filing of certain paper forms that could be used to hijack a company’s identity.
• Monitor for Identity Fraud: Security teams should use EDR and identity monitoring tools to watch for the unauthorized use of executive credentials that may have been harvested during the exposure period.

Defenders must treat government registry data as a high-value target and assume that any information previously considered “private” within these portals may have been compromised.