Australian platforms used by real estate agents to upload documentation for tenants and landlords are exposing people’s personal information in hyperlinks that can be accessed online.
An analysis of seven rental platforms provided to Guardian Australia by a researcher who wished to remain anonymous revealed that millions of leasing documents could be accessed by threat actors.
Sign up for: AU Breaking News Email
Real estate agents handle sensitive tenant and landlord data on a daily basis, including lease agreements, identification documents, payslips and personal references. Online platforms enable agents to store these documents in the cloud and access them through hyperlinks.
The researcher discovered that these links could be scanned and cached by web crawlers.
Guardian Australia has seen six examples of tenancy agreements, landlord and personal instructions and other documents available online. Although the links are obscured by random characters, a log in is not required to view them.
The researcher noted that the underlying platform used by rental companies makes it easier for prospective tenants to access documents by adding or subtracting a number to the URL sent by real estate companies.
The researcher said that the documents are from 2017, the first invitation code was 1 and now it has reached 4m.
In another case, a researcher was able to access a lease agreement because a platform used URL shorteners, which make URLs easier to guess. Once the lease is secured, the platform provides an authentication cookie that gives access to the landlord’s entire rental history, maintenance and other documents.
Inspection Express, a platform identified as allowing access to hyperlinks without requiring authentication, said it reviewed how links to its documents are being accessed and shared. After a researcher reported the issue directly to the company last year, it said it upgraded its security this month.
“Inspection Express does not make customer documents publicly discoverable or indexable by Google or other search engines,” a spokesperson said. “The documents are accessed through controlled links and are not published on the open web through our platform, and our review did not identify any open web discovery.”
“The improvements include document links that automatically expire after a limited number of accesses or a defined time window, along with additional restrictions on link sharing and copying,” the spokesperson said. “Intended recipients can safely request a new link if needed.”
Another platform identified by the researcher placed an additional security measure requiring the user to enter their postcode before accessing the document.
Several of the platforms under investigation did not respond to requests for comment and did not respond to the researcher.
Samantha Floreni, a digital rights lawyer and PhD candidate who analyzes rental tech, says the research shows a serious lack of concern for privacy and security in the industry.
“Months after being notified of these vulnerabilities, it’s appalling that so many companies are doing nothing,” she said. “This is a blatant and disturbing disregard for the law and public safety.
“Although these companies make profits by positioning themselves as middlemen between tenants, agents and landlords and collecting vast amounts of data, the benefits to tenants are questionable.”
Floriani said companies left unchecked put an enormous number of Australians at risk.
“Tenants have very little power to refuse to use these systems, because saying no can lead to retaliation, bad omens or losing the house altogether,” she says.
“There is no real choice but to use these platforms to access and retain housing, and then you are forced to hand over insecure information, which adds insult to injury in an already deeply inhumane system.”
A spokesperson for the Australian Information Commissioner’s Office said the agency had not received any notifications from the platforms regarding potential data breaches.
The spokesman said growing demands from rental and property companies for people to hand over their personal information to rent tech apps was a “key priority” for the OAIC this year.
“It’s a sector that creates power and information imbalances, and [the OAIC] Currently looking into rental tech platforms,” the spokesperson said.
