Real estate agents in Australia using apps that leave millions of lease documents at risk, digital researcher says
Australian platforms used by real estate agents to upload documentation for renters and landlords are leaving people’s personal information exposed in hyperlinks accessible online.An analysis of seven rent platforms provided to Guardian Australia by a researcher, who wished to remain anonymous, revealed millions of leasing documents could be accessed by threat actors.Sign up: AU Breaking News emailReal estate agents manage sensitive tenant and landlord data on a daily basis, including lease agreements, identification documents, payslips and personal references.Online platforms enable agents to store these documents in the cloud and make them accessible via hyperlinks.The researcher found these links can be scanned by web crawlers and cached.
Guardian Australia has seen six examples of rental agreements, employer and personal references, and other documents available online.While the links were obscured through randomised characters, they did not require a log-in to view them.The researcher identified that the underlying platform used by rental companies makes it easy to access documents by simply adding or subtracting a number on the URL real estate companies send to prospective tenants.The researcher said the documents date back to 2017, with the first invite code being 1, and now reaching 4m.In another case, the researcher was able to access a lease agreement due to one platform’s use of URL shorteners, which make the URLs easier to guess.
Once the lease was accessed, the platform provided an authentication cookie, giving access to the landlord’s entire rental history, maintenance and other documents.Inspection Express, one platform that was identified as allowing access to hyperlinks without requiring authentication, said it had undertaken a review of how its documents links are accessed and shared.It said this month it had upgraded its security, after the researcher reported the issue directly to the company last year.“Inspection Express does not make customer documents publicly discoverable or indexable by Google or other search engines,” a spokesperson said.“Documents are accessed via controlled links and are not published to the open web by our platform, and our review did not identify any open web discovery.
“The enhancements include document links that automatically expire after a limited number of accesses or a defined time window, along with additional restrictions on link sharing and copying,Intended recipients can securely request a new link if required,”Another platform the researcher identified has put in an additional security measure requiring the user to enter their postcode before accessing the document,A number of platforms in the research did not respond to requests for comment, and did not respond to the researcher,Samantha Floreani, a digital rights advocate and PhD candidate analysing rental tech, said the research showed a very serious lack of care for privacy and security in the industry.
“It is appalling that months after being notified of these vulnerabilities, most companies have done nothing,” she said.“This is a blatant and disturbing disregard for the law and for people’s security.“While these companies turn a profit by inserting themselves as intermediaries between renters, agents and landlords and collecting vast quantities of data, the benefits to renters are questionable at best.”Floreani said left unchecked the companies are putting an enormous number of Australians at risk.“Renters have very little power to refuse to use these systems because saying no can lead to retaliation, a bad reference, or just missing out on a home altogether,” she said.
“To have no real choice but to use these platforms in order to access and retain housing, then to have the information you are forced to hand over left unprotected, adds insult to injury in an already deeply dehumanising system.”A spokesperson for the Office of the Australian Information Commissioner said the agency had received no notifications from the platforms regarding potential data breaches.The spokesperson said the increasing demands from rental and property companies for people to hand over their personal information to rent tech apps is a “key priority” for the OAIC this year.“It is a sector that creates power and information imbalances, and [the OAIC] is currently scrutinising rent tech platforms,” the spokesperson said.
Why TikTok’s first week of American ownership was a disaster
A little more than one week ago, TikTok stepped on to US shores as a naturalized citizen. Ever since, the video app has been fighting for its life.TikTok’s calamitous emigration began on 22 January when its Chinese parent company, ByteDance, finalized a deal to sell the app to a group of US investors, among them the business software giant Oracle. The app’s time under Chinese ownership had been marked by a meteoric ascent to more than a billion users, which left incumbents such as Instagram looking like the next Myspace. But TikTok’s short new life in the US has been less than auspicious
US authorities reportedly investigate claims that Meta can read encrypted WhatsApp messages
US authorities have reportedly investigated claims that Meta can read users’ encrypted chats on the WhatsApp messaging platform, which it owns.The reports follow a lawsuit filed last week, which claimed Meta “can access virtually all of WhatsApp users’ purportedly ‘private’ communications”.Meta has denied the allegation, reported by Bloomberg, calling the lawsuit’s claim “categorically false and absurd”. It suggested the claim was a tactic to support the NSO Group, an Israeli firm that develops spyware used against activists and journalists, and which recently lost a lawsuit brought by WhatsApp.The firm that filed last week’s lawsuit against Meta, Quinn Emanuel Urquhart & Sullivan, attributes the allegation to unnamed “courageous” whistleblowers from Australia, Brazil, India, Mexico and South Africa
We have lost so much of ourselves to smartphones: can we get it back?
In 2003, the Stanford social scientist BJ Fogg published an extraordinarily prescient book. Persuasive Technology: Using Computers to Change What We Think and Do predicted a future in which a student “sits in a college library and removes an electronic device from her purse”. It serves as her “mobile phone, information portal, entertainment platform, and personal organiser. She takes this device almost everywhere and feels lost without it.”Such devices, Fogg argued, would be “persuasive technology systems … the device can suggest, encourage, and reward
Elon Musk had more extensive ties to Epstein than previously known, emails show
Elon Musk had more extensive – and more friendly – communications with the financier and sex offender Jeffrey Epstein than previously publicly known, according to documents released on Friday by the Department of Justice. Emails in the files appear to show the two cordially messaging each other on two separate occasions to make plans for Musk to visit Epstein’s island.The documents include Musk and Epstein emailing in both 2012 and 2013 to determine when Musk should make the trip to Little St James. Neither exchanges appear to have resulted in Musk visiting the island, due to logistical issues.“Will be in the BVI/St Bart’s area over the holidays
What good is a social media ban when screens are rife in classrooms? | Letters
Your recent coverage of children’s screen use (How screen time affects toddlers: ‘We’re losing a big part of being human’, 22 January) highlights an issue that still receives remarkably little attention: the amount of screen time built into the school day. While politicians debate bans on social media for under‑16s, and teachers report children trying to swipe the pages of books, it is puzzling that the question of screen time in schools is left out of discussions.Every morning, most primary school children are greeted by an electronic whiteboard glowing in the classroom, often left on all day. Lessons are delivered as slides, tablets are used for activities, and many schools require homework to be completed online.When it rains, “wet play” means more screen‑based entertainment
AI-generated news should carry ‘nutrition’ labels, thinktank says
AI-generated news should carry “nutrition” labels and tech companies must pay publishers for the content they use, according to a left-of-centre thinktank, amid rising use of the technology as a source for current affairs.The Institute for Public Policy Research (IPPR) said AI firms were rapidly emerging as the new “gatekeepers” of the internet and intervention was needed to create a healthy AI news environment.It recommended standardised labels for AI-generated news, showing what information had been used to create those answers, including peer-reviewed studies and articles from professional news organisations. It also urged the establishment of a licensing regime in the UK allowing publishers to negotiate with tech companies over the use of their content in AI news.“If AI companies are going to profit from journalism and shape what the public sees, they must be required to pay fairly for the news they use and operate under clear rules that protect plurality, trust and the long-term future of independent journalism,” said Roa Powell, senior research fellow at IPPR and the report’s co-author
From Nouvelle Vague to Mock the Week: your complete entertainment guide to the week ahead
Catherine O’Hara managed to make difficult characters utterly delightful
Catherine O’Hara, actor known for Home Alone and Schitt’s Creek, dies aged 71
Colbert on Springsteen’s anti-ICE song: ‘Do you know how hard it is to rhyme with Minneapolis?’
Ṣọpẹ́ Dìrísù: ’If the west doesn’t say a film is good, that doesn’t mean it’s no good’
‘Begging my boyfriend to get one’: Paul Mescal inspires yet another fashion craze with Hamnet earring