Search This Blog

Powered by Blogger.

Blog Archive

Labels

Location Leak: Christie's Mistakenly Exposes Whereabouts of Consigned Artworks

Owners of hundreds of items seeking to sell had their location data published by mistake on the eBay website.

 


A university professor living in a large town in western Germany was busy on a recent Wednesday evening preparing several paintings for sale through the British auction house Christie's, an auction house that conducts auctions around the world. 

By using his iPhone, he was able to upload images of an inherited piece of art that he had at home onto the company's website using the company's logo. The site promised that in a few weeks, Christie's would tell him whether it was interested in advertising them for sale and would let him know if they were worth any money. 

The researchers in Germany suggest that when he uploaded these images, he did not only reveal the exact location of the pieces to Christie's, but he also revealed the exact size of each piece. By uploading these images, the researchers claim that anyone could find them online and see where they are located for themselves. 

This cybersecurity incident impacted hundreds of Christie's clients who uploaded photographs of their prized paintings and sculptures to the auction house's website for the auction house to review, which were impacted by the cyberattack. As a result of his friend's request for him to check on the effectiveness of the auction house's data security, researchers Martin Tschirsich and AndrĂ© Zilch from the German cybersecurity research company Zentrust Partners discovered the breach. 

As the number of businesses transacting over the internet increases, cybersecurity vulnerabilities are not just becoming more and more of an issue for Big Tech companies, but for almost everyone due to the increasing use of the internet for business transactions. 

The professor's example exemplifies how Christie's photos are often accompanied by GPS coordinates for where they were taken, just as they were for Christie's. It is so precise that these coordinates can not only show a street address, they can even indicate within a few feet of the photo where it was taken inside a building, as well as the exact location inside a building.

According to the researchers, approximately 10 percent of the uploaded images have GPS coordinates that can be verified. It should be noted that, in the last couple of days, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a general warning about the type of vulnerability the German researchers discovered. The CISA statement made in a joint statement with the National Security Agency and the Australian Cyber Security Center states that, as a result of these vulnerabilities, the personal, financial, and health information of millions of users and consumers has been compromised. CISA did not refer to any changes at the auction house. 

There is no doubt that Christie's website often contains GPS information with photographs uploaded by aspiring consigners in the hope of securing a future sale on the website, according to Tschirsich and Zilch. A prospective seller can upload up to three images of the work they are interested in selling to the complementary online auction estimate service of this auction house by clicking on the Request an Auction Estimate page of their website. 

The Estates, Appraisals & Valuation Services page has been moved to a completely different page that caters exclusively to Estate Representatives. While Christie's claimed to have been contacted by researchers about the lapse in security in June, the company reportedly did not resolve the issue until Tuesday after being contacted about it by researchers. In a statement released by Christie's earlier this month, Tschirsich and Zilch said they offered to help resolve the vulnerability at no charge but were told by an unnamed Christie's executive that the firm did not need any advice or assistance and that the matter had been referred to in-house administrators.

Previously, the pair carried out such tasks for free as part of their volunteer work. As a result of their collaboration, they helped secure patients' health data in Germany in one instance, whereas Tschirsich was one of a small group of researchers who were able to uncover an issue that could have impacted software that was used in elections in Germany. 

A business acquaintance asked them about the assurances Christie's service provides in terms of security, so the duo decided to investigate Christie's. Tschirsich told the Post that he found out about the major vulnerability only a few minutes after researching the issue. It is easy for anyone to exploit this vulnerability within minutes of having a computer with a browser since it is such a simple vulnerability. 

A statement from Christie's told ARTnews that it respects the privacy concerns of its clients and places a high value on safeguarding client information. In the same manner, as the one that the Washington Post received from the auction house, the same statement stated that the auction house has a comprehensive information security program that protects client information against unauthorized access.

The statement also stated that its representatives continuously assess the security measures at the auction house. It should be noted that Christie's has denied responding to questions about or validating the findings of the researchers. The company says it is committed to safeguarding personal data, but has also been criticized for offering anonymity to its clients. 

It seems that, according to the researchers, the company has taken steps to resolve this problem, but that was only after it was contacted by The Post about the matter. Tschirsich said Christie's just appeared to have taken technical measures to close the vulnerability on Tuesday, which was the only day when Christie's seemed to have taken such measures. 

It had been more than two months since Christie's had received the information from the researchers about the problem, he said. The technology industry routinely pays a fee to researchers who disclose a vulnerability that for a private seller may be worth an even higher amount on the black market than the fee paid to researchers. Larger companies also have what are called bug bounty programs to incentivize cybersecurity researchers to report flaws that can lead to breaches. 

However, Christie’s does not appear to advertise such a program. Zilch and Tschirsich say they weren't trying to exploit Christie's to extort a bounty or to get a job, but instead, they simply wanted them to get Christie's to fix the vulnerability that was endangering users of the company. 

The two have been probing systems continuously for years to report any vulnerabilities they find to companies and organizations, often at no cost to them. Several vulnerabilities have been identified by the two organizations in the past that have put the personal data of German citizens at risk. The research team of Tschirsich and others discovered that the German election software had problems that could have led to disruptions in the counting of votes, in addition to Tschirsich's findings. 

After warning the affected organizations about the problems, the researchers conducted free investigations into both problems and found that the problems had been fixed. After an acquaintance asked the researchers how secure Christie's was, the German researchers decided to take a closer look at the company. It does not look like users were able to seize advantage of the security hole they were unaware of for a long time, Tschirsich told The Post. It appears that the vulnerability can be exploited using any browser in just minutes by anyone with a basic understanding of how to use a browser.
Share it:

Chrishtie

CISA

Cyberattacks

CyberCrime

Cybersecurity

Data Breach

Paintings