Leakage of sensitive data through real estate apps in Australia: A critical issue
Real estate agents in Australia are using apps that expose millions of lease documents, putting people's personal information at risk. A digital researcher has revealed that these apps, used by agents to upload documentation for renters and landlords, leave sensitive data vulnerable through hyperlinks accessible online.
The researcher, who wished to remain anonymous, analyzed seven rent platforms and found that millions of leasing documents could be accessed by threat actors. These documents include lease agreements, identification documents, payslips, and personal references, all managed daily by real estate agents.
The issue lies in the way these platforms store and share documents. Links to these documents can be scanned by web crawlers and cached, making them easily accessible online. While some platforms use randomised characters to obscure links, they don't require a login to view them, further exacerbating the problem.
The researcher identified a critical vulnerability: the underlying platform used by rental companies allows easy access to documents by simply adding or subtracting a number on the URL sent to prospective tenants. This means that documents dating back to 2017, with the first invite code being 1 and now reaching 4 million, are potentially at risk.
In another case, the researcher exploited URL shorteners, which make URLs easier to guess, to access a lease agreement. This led to the platform providing an authentication cookie, granting access to the landlord’s entire rental history, maintenance, and other documents.
Inspection Express, one of the platforms identified as allowing access to hyperlinks without requiring authentication, has since upgraded its security after being notified of the issue last year. They claim their documents are not publicly discoverable or indexable by Google or other search engines, and that their review did not identify any open web discovery.
However, the researcher's findings highlight a serious lack of care for privacy and security in the industry. Digital rights advocate Samantha Floreani, a PhD candidate analyzing rental tech, criticized the companies for their inaction despite being notified of these vulnerabilities months ago.
Floreani warns that these companies are putting an enormous number of Australians at risk. Renters have little power to refuse using these systems, as saying no can lead to retaliation, a bad reference, or missing out on a home. The lack of protection for the information renters are forced to hand over adds insult to injury in an already dehumanizing system.
The Office of the Australian Information Commissioner has also expressed concern, stating that the increasing demands for personal information from rental and property companies is a key priority for the agency this year. They are scrutinizing rent tech platforms to address the power and information imbalances in the sector.
