Security flaw at Christie’s exposed location data of artwork owners sought to sell

On a recent Wednesday evening, a university professor in a large town in western Germany was preparing several paintings to be sold through the British auction house Christie’s. Using his iPhone, he took pictures of the inherited works at his home to upload to the company’s website. Within a few weeks, the site promised, Christie’s would give him an estimate of their value and tell him if it was interested in auctioning them.

But by uploading the images, he not only sent pictures of the pieces to Christie’s, he also revealed their exact location for anyone to see online, according to two German cybersecurity researchers. Hundreds of other would-be Christie’s clients, including Americans, were exposed to the same vulnerability, the two researchers, Martin Tschirsich and André Zilch, told The Washington Post.

The findings show how cybersecurity vulnerabilities aren’t just an issue for big tech companies, but for almost everyone as more and more business is transacted over the internet. As was the case with the professor, photos uploaded to Christie’s oftentimes include GPS coordinates for where they were taken; those coordinates are so precise that they reveal not just a street address but can even identify within a few feet exactly where inside a building a photo was taken. “Around 10 percent of the uploaded images contain exact GPS coordinates,” the researchers said.

At the end of July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned generally about the kind of vulnerability the German researchers found. “[These vulnerabilities] have resulted in the compromise of personal, financial, and health information of millions of users and consumers,” CISA said in a joint statement with the National Security Agency and the Australian Cyber Security Center, without referring explicitly to any developments at the auction house.

Christie’s, which says it’s committed to treating personal data with the utmost care and security but has also been criticized for offering anonymity to clients, declined to answer questions about or confirm the researchers’ findings. “We continuously assess our security safeguards, thoroughly address issues relating to the security of our clients’ information, and comply with our legal and regulatory obligations,” the auction house said in a statement.

But the company seems to have taken steps to resolve the issue, according to the researchers, though only after being contacted about it by The Post. “It was only Tuesday when Christie’s appears to have implemented technical measures to close the vulnerability,” Tschirsich said. He said the researchers had informed Christie’s about the problem more than two months ago.

It is unclear if Christie’s has informed any of its clients about the security lapse. The German professor, who spoke on the condition of anonymity because he did not want to discuss a breach of his personal data that may have been easily accessible to everyone online, said Christie’s had not contacted him. He said he learned his artwork’s location had been made public from The Post. “Especially with a renowned house like Christie’s, I would not have expected that,” he said.

Tschirsich and Zilch say they had alerted Christie’s to what they called a “serious vulnerability” by the time the professor had uploaded his images. Messages viewed by The Post show they first told Christie’s of the vulnerability in June. An offer by the researchers to help resolve the difficulty was rejected by a Christie’s executive, according to records the researchers shared with The Post. “Thank you, but we do not require any advice or assistance,” the executive said, after confirming that the researchers’ findings had been forwarded to an internal security team.

“As cybersecurity researchers we were very surprised by this reaction,” Zilch said.

Some tech companies routinely pay a fee to researchers who reveal a vulnerability that on the black market could be worth an even higher prize. Larger companies also have what are called bug bounty programs to incentivize cybersecurity researchers to report flaws that can lead to breaches. However, Christie’s does not appear to advertise such a program.

Tschirsich and Zilch say they were not looking for a bounty or a job from Christie’s, but just wanted the company to fix a vulnerability that put users at risk. Both for years have probed systems for vulnerabilities with the goal of reporting them to companies and organizations, often free of charge. In the past, the two have identified vulnerabilities putting the health data of patients in Germany at risk. Tschirsich, together with other researchers, also uncovered problems in German election software that could have disrupted the counting of votes. Both problems were investigated for free and fixed after the researchers warned the affected organizations about them.

The German researchers took a look at Christie’s after an acquaintance asked them about how secure Christie’s service was. “Unfortunately, it only took us a few minutes to come across this serious vulnerability,” Tschirsich told The Post. “The vulnerability is so simple that it can be exploited by anyone with a browser within a few minutes.”

Tschirsich said Christie’s lack of a quick response surprised him. “It actually takes only a few hours to temporarily close the vulnerability and two days to completely fix the problem,” Zilch said.