**
Recent findings have raised serious concerns about the security of personal information on Australian rental platforms, as research reveals that millions of lease documents are vulnerable to cyber criminals. This alarming situation highlights the need for immediate action within the real estate sector to safeguard tenant and landlord data.
Vulnerabilities in Digital Platforms
A comprehensive examination of several rental applications used by real estate agents has uncovered significant security flaws that can lead to the exposure of sensitive documents. A researcher, who has chosen to remain anonymous, conducted an analysis of seven prominent platforms and discovered that hyperlinks containing personal information are readily accessible online. This includes lease agreements, identification records, payslips, and personal references, which are often managed by agents in the cloud.
The researcher noted that these hyperlinks can be easily scanned and cached by web crawlers, making sensitive information available to malicious actors. Despite the URLs being camouflaged with randomised characters, they do not require any form of authentication to view. Instances of accessible documents have already been documented by Guardian Australia, raising urgent questions about the adequacy of current protective measures.
Ease of Access for Cyber Criminals
The study highlighted a particularly concerning trend: the underlying infrastructure of these platforms allows for easy manipulation of URLs. By adjusting a number in the URL string provided to potential tenants, the researcher was able to access documents dating back to 2017, with the first invite code beginning at ‘1’ and reaching as high as four million. This indicates a systemic flaw that could be exploited by cyber criminals.
In one notable case, the researcher accessed a lease agreement through a platform that employed URL shorteners, facilitating the guessing of document links. Upon gaining access to a lease, the platform issued an authentication cookie, granting entry to the landlord’s complete rental history alongside maintenance records. Such vulnerabilities reveal a worrying lack of diligence in data protection practices across the industry.
Responses from Rental Platforms
In light of these revelations, one platform, Inspection Express, has stated that it is reviewing its document sharing practices. Following a direct report from the researcher last year, the company recently announced enhancements to its security measures. A spokesperson asserted that their documents are not publicly searchable on platforms like Google and that they are only accessible through controlled links. Newly implemented measures include expiring document links after a set number of accesses or a defined time frame, alongside restrictions on sharing and copying.
Other platforms identified in the research have not publicly commented on these security issues, raising further concerns about transparency and accountability within the sector.
The Call for Enhanced Privacy Protections
Samantha Floreani, a digital rights advocate and PhD candidate who studies rental technology, has highlighted the lack of care for privacy and security in these digital systems. She expressed her dismay that many companies have not taken adequate steps to rectify these vulnerabilities, describing the situation as a “blatant and disturbing disregard for the law and for people’s security.”
Floreani emphasised that renters often find themselves with little leverage to refuse the use of these platforms due to fears of retaliation, poor references, or losing housing opportunities altogether. The coercive nature of the current system, coupled with the inadequate protection of personal information, adds another layer of distress to an already challenging housing landscape.
A spokesperson for the Office of the Australian Information Commissioner noted that the agency had not received any notifications from the platforms regarding potential data breaches. The spokesperson emphasised that the increasing demand for personal information by rental tech apps is a “key priority” for the Office, which is currently scrutinising these platforms to address the emerging risks and power imbalances.
Why it Matters
The exposure of sensitive data on rental platforms poses a critical threat to the privacy and security of countless Australians. As the reliance on technology in the housing sector grows, so too does the responsibility of these platforms to protect personal information. Without robust security measures and transparent practices, renters remain vulnerable to identity theft and other cyber risks, exacerbating the existing challenges within the housing market and undermining trust in the digital systems designed to facilitate secure transactions.
