Two German information security experts discovered a vulnerability in Christie’s cybersecurity safeguards that allowed the location data of hundreds of consigners’ artworks to be published to the auction house’s website, according to the Washington Post.
The experts said that the GPS data was so accurate that it could reveal, within just a few feet, exactly where a photo was taken, and consequently, where the art was being stored.
“Around 10 percent of the uploaded images contain exact GPS coordinates,” Martin Tschirsich and André Zilch of the German cybersecurity research company Zentrust Partners told the Post.
According to Tschirsich and Zilch, when aspiring consigners upload images to the Christie’s website in hopes of a future sale, GPS information is often included with the photographs. The “Request an Auction Estimate” page of the auction house’s website says a prospective seller can upload up to three images of work to their “complimentary online auction estimate service” for consideration. (Estate representatives are directed to a wholly different page for “Estates, Appraisals & Valuation Services.”)
Despite being contacted about the lapse in security by the researchers in June, Christie’s reportedly didn’t resolve the vulnerability until Tuesday. Tschirsich and Zilch said they offered to help deal with the vulnerability for free, but were told by an unnamed Christie’s executive that the auction house “[did] not require any advice or assistance” and that the issue had been directed to in-house security.
“As cybersecurity researchers we were very surprised by this reaction,” Zilch told the Post, which noted that while many companies pay white hat hackers like Tschirsich and Zilch to find vulnerabilities in their system, Christie’s does not seem to “advertise such a program.”
The pair have done such work for free in the past. In one instance, they helped secure patients’ health data in Germany and Tschirsich was one in a group of researchers who helped uncover a problem that would have effected election software.
The duo turned their attention to Christie’s “after an acquaintance asked them about how secure Christie’s service was. “Unfortunately, it only took us a few minutes to come across this serious vulnerability,” Tschirsich told the Post. “The vulnerability is so simple that it can be exploited by anyone with a browser within a few minutes.”
In a statement to ARTnews, Christie’s said it respects its “clients concerns about privacy and treats the protection of client information as a top priority.” The statement, which is identical to the one provided to the Washington Post, continued to say the auction house has a “comprehensive information security program” that protects against unauthorized access to client information and that representatives there “continuously assess” their security safeguards.
It’s unclear why, if notified in June, the vulnerability was corrected only last week after being contacted by the Post. Tschirsich told the Post that the “vulnerability is so simple that it can be exploited by anyone with a browser within a few minutes.” According to Zilch, “it actually takes only a few hours to temporarily close the vulnerability and two days to completely fix the problem.”