Alert: Security Gaps Allow Bots to Exploit UK Driving Test Booking System

Booking a driving test in the UK is a crucial step for many learners, but scalpers are exploiting security gaps to monopolize appointment slots. The UK’s driving test booking system operates through a centralized platform, making it the primary gateway for securing a driving test. This means that any vulnerabilities in its security impact thousands of learners, restricting fair access and delaying their ability to obtain a license and potentially putting their data at risk.

The website’s protection measures are subpar, with only selective bot mitigation in place on certain – but not all – endpoints. Automated bots are being used to book and resell appointment slots, making it harder for genuine candidates to secure an exam date. As a result, many individuals are forced to turn to third-party services that profit from these security weaknesses, further exacerbating the issue.

Security assessment 

DataDome’s Advanced Threat Research team conducted a security assessment of the online driving test booking system, focusing on key areas of exploitation, including account creation, booking appointments, modifying booking details, and reservation cancellations.

DataDome identified several vulnerabilities in the system’s protection mechanisms:

• Partial bot protection: The site employs security measures, but only on select endpoints, leaving other areas exposed.

• Weak CAPTCHA implementation: A simple CAPTCHA is required at the beginning of the booking process, but once passed, there are no further checks.

• Ease of Scalping Exploitation: Using an open-source bot framework with minimal configuration and a CAPTCHA-solving service, the team successfully booked appointments.
  • Once the initial CAPTCHA challenge is passed, booking an appointment is straightforward. The process involves filling out a series of forms with personal information, including first and last name and driving license number. 
  • While this initially suggests that scalping might be difficult, a key vulnerability allows easy exploitation: appointment details can be modified post-booking.

• Scalpers can easily modify booking details: This feature, originally intended for driving instructors to swap students if needed, is being exploited by scalpers. 
  • By using a driving license number that follows an expected format (with no apparent validation), bots can secure appointments far into the future without interfering with real-time users. 
  • Once a buyer purchases a slot, the scalper simply changes the booking details to reflect the new owner’s information. Additionally, since payments for bookings are refundable upon cancellation, there is minimal financial risk for scalpers who fail to resell slots.

• Appointment cancellations lack security measures: Cancellations can be done without additional verification, enabling scalpers to cancel unsold slots at no cost.

Implications & risks

• Unfair access to appointments: Genuine candidates face delays as scalpers hoard slots and resell them for profit, making it nearly impossible for many to secure a test date in a reasonable timeframe. Not only does this frustrate users, it damages the platform’s reputation and credibility.
• Mass exploitation: The only upfront cost to scalpers is the refundable booking fee, making mass exploitation feasible with little financial downside.
• Potential for fraudulent activity: The lack of verification when modifying bookings allows attackers to make unauthorized changes, which could lead to fraudulent transactions, impersonation risks, or even black-market operations where stolen identities are used to book and transfer appointments.

Recommendations

To mitigate these threats, the platform should implement:

• Advanced bot protection: Move beyond basic CAPTCHAs to real-time bot detection and mitigation.
• Stronger authentication measures: Require email or SMS verification when modifying booking details.
• Behavioral detection: Detect and block automated interactions based on typing speed and request frequency.
• Rate limiting: Enforce a booking queue to let legitimate users access time slots.

Consumers can also play a role in curbing scalping. For example, platform users can:

• Report suspicious activity: If you come across services selling driving test slots at a premium or suspect bot activity, report it to the platform and relevant authorities.
• Support platform security improvements: Advocate for stronger anti-bot measures by providing feedback to the official booking site, urging them to enhance their security.

Conclusion

The current booking system allows bad actors to exploit security gaps with minimal effort. Without stronger protections, scalping bots will continue to manipulate availability, creating unnecessary obstacles for legitimate candidates. Strengthening security controls is essential to ensure fair access and protect user data from misuse.