❌

Normal view

Private health records of half a million Britons offered for sale on Chinese website

Technology minister tells Commons β€˜de-identified’ information from UK Biobank advertised for sale on Alibaba

The confidential health records of half a million British volunteers have been offered for sale on Chinese website Alibaba, the UK government has confirmed.

The β€œde-identified” data, belonging to participants in the UK Biobank project, was found for sale on three separate listings last week. Ian Murray, the technology minister, told the Commons on Thursday that, after working with the Chinese government and Alibaba, the records had now been removed. It is not believed any sales were made.

Continue reading...

Β© Photograph: Dave Guttridge/UK Biobank/PA

Β© Photograph: Dave Guttridge/UK Biobank/PA

Β© Photograph: Dave Guttridge/UK Biobank/PA

VU#748485: Unauthenticated configuration modification vulnerability in Central Office Services - Content Hosting Component

Overview

A security flaw exists in the configuration management endpoint of the DRC INSIGHT software, allowing an unauthenticated user with access to the same network as the server to modify the server’s configuration file. This could enable data exfiltration, traffic redirection, or service disruption. DRC has acknowledged this vulnerability, tracked as CVE-2026-5756, and resolved it in Version 9.2, which is now available to clients. The patch will be included and deployed automatically with subsequent releases.

Description

Data Recognition Corporation (DRC) provides software for test proctoring, including the web-based DRC INSIGHT platform. A component of this platform, Central Office Services (COS), is typically deployed on a school or district local area network to host and distribute testing content to student devices.

COS uses a unified API router that serves both public content functions, such as exam delivery, and administrative functions, without meaningful separation between content-serving APIs and management APIs. The /v0/configuration administrative endpoint is accessible to systems on the same network as the COS server without authentication or origin validation. Any unauthenticated user or compromised device with network access to the server may submit requests that modify the server’s configuration file. The endpoint accepts and persists user-supplied JSON payloads without validating content, checking authorization, or verifying the safety of requested configuration changes. DRC has confirmed this issue and addressed it in Version 9.2.

Impact

Exploitation could allow an attacker to exfiltrate student data by overwriting storage configuration values or credentials so that test artifacts, responses, or audio recordings are sent to attacker-controlled external services instead of intended DRC-managed destinations. An attacker could also intercept or manipulate outbound traffic by inserting a malicious httpsProxy setting, causing HTTPS communications with DRC validation or content services to pass through an attacker-controlled proxy. In addition, malformed JSON, invalid port bindings, or incorrect service endpoints could disrupt operations by preventing the server from starting or interfering with active assessments.

Mitigations

Coordination with the vendor was unsuccessful prior to resolution, and no patch was available at the time of initial disclosure. Organizations that have not yet upgraded should restrict network access to the COS server by placing it on a dedicated, isolated network segment accessible only to trusted administrative systems. Student and guest networks should not be permitted to reach the server. Host-based or network firewalls should be used to restrict access to the /v0/configuration endpoint, ideally limiting access to localhost or specifically authorized administrative IP addresses. Outbound network traffic should be restricted to approved destinations, such as DRC infrastructure, and monitored for unexpected connections to unknown storage services or proxy endpoints. Administrators should enable logging and monitoring capable of detecting requests to the /v0/configuration endpoint, unauthorized configuration changes, and unusual outbound traffic patterns. Services should run with least privilege, with write access to configuration files limited wherever possible. Signed backups of configuration files should be maintained and their integrity verified before restoration or redeployment.

With the release of Version 9.2, the recommended action is immediate upgrade. Clients currently running affected versions should coordinate with DRC support to apply the patch without delay.

Acknowledgments

Thanks to Caen Jones for responsibly disclosing this vulnerability.
Document prepared by Timur Snoke with the assistance of AI.

Vendor Information

One or more vendors are listed for this advisory. Please reference the full report for more information.

Other Information

CVE IDs: CVE-2026-5756
Date Public: 2026-04-23
Date First Published: 2026-04-23
Date Last Updated: 2026-05-26 13:26 UTC
Document Revision: 2
❌