The Washington PostThe Washington Post

How a Christie's website revealed where people kept their art

By Max Hoppenstedt

21 Aug 2023 · 3 min read

informed Summary

  1. German cybersecurity researchers Martin Tschirsich and André Zilch have discovered a vulnerability in the British auction house Christie's website. The flaw allows anyone to see the exact location of items being sold, as images uploaded to the site often include precise GPS coordinates.

On a recent Wednesday evening, a university professor in a large town in western Germany was preparing several paintings to be sold through the British auction house Christie's. Using his iPhone, he took pictures of the inherited works at his home to upload to the company's website. Within a few weeks, the site promised, Christie's would give him an estimate of their value and tell him if it was interested in auctioning them.

But by uploading the images, he not only sent pictures of the pieces to Christie's, he also revealed their exact location for anyone to see online, according to two German cybersecurity researchers. Hundreds of other would-be Christie's clients, including Americans, were exposed to the same vulnerability, the two researchers, Martin Tschirsich and André Zilch, told The Washington Post.

Sign in to informed

  • Curated articles from premium publishers, ad-free
  • Concise Daily Briefs with quick-read summaries
  • Read, listen, save for later, or enjoy offline
  • Enjoy personalized content