ChargeGuardUKJoin the list
All posts
Data & security3 min read

How a URL-enumeration flaw can expose parking records

Not every data exposure is a dramatic hack. Some of the most common come from a simple weakness: a web address that quietly trusts whatever record number you put in it.

Reports in 2025 described this pattern affecting parking customer records. The safest way to describe it is a broken-access-control, or URL-enumeration, weakness.

1. You open your own invoice

invoice.example/record/1001

2. You change the record number in the address

invoice.example/record/1002

3. Someone else's invoice loads

A different customer's details are shown

What this measures: A broken-access-control (URL-enumeration) pattern. The addresses and details below are fabricated placeholders, not real data.

Source: heise online, May 2025

Because the page checks the record number but not who is asking, changing one digit can reveal a stranger's information. The reports referred to affected records in Germany, Denmark, Poland and Ireland. The operator's wider airport work gives context, but does not establish that every system was affected.

We have used invented placeholders throughout. No real address, number plate or personal detail is shown, and none should be when writing about a flaw like this.

Want to stay ahead of charges like these?

ChargeGuard is a private reminder for UK road charges. No card linked, no number plate shared.