“Accessing the app ‘Leaderboard’ screen caused the API to push the app’s top-ten users’ personal data, in plain text, to the app”
Leeds-based digital security enterprise Rapidspike have identified one of their developers as the ethical hacker who exposed the vulnerability in a York Council application.
The company contacted York council to show how they had accessed the data belonging to nearly 6,000 Yorkshire residents though a Yorkshire Council application.
The One Planet York application was designed to help residents in York find out the bin collection dates, while also providing recycling advice.
The city of York Council have stated that the application contained 5,994 records which stored information such as user phone numbers, addresses and encrypted passwords.
The council have sent a letter, obtained by the York Press, out to all users of the application to inform them of the breach stating that: “We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward.”
“We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device,” the letter advises.
Rapidspike York Disclosure
Rapidspike comment in a blog post that their: “Developer identified a significant security vulnerability with the One Planet Yorkapp: it was sending the personal details of its users, to other users of the app, whenever the ‘Leaderboard’ page was selected.”
“Accessing the app ‘Leaderboard’ screen caused the API to push the app’s top-ten users’ personal data, in plain text, to the app.”
“We must be really clear at this point: our developer did not manipulate any requests. The app simply transmitted this personal data as a response to the GET request for the ‘Leaderboard’ page. This personal data was sent to any user of the app when they browsed that page.”
Rapidspike discovered the vulnerability on the 26th of October and reported it to the One Planet Application team on the 27th of October
Commenting in an emailed statement to Computer Business Review Martin Thorpe Enterprise Security Architect at Venafi said that: “This is a serious breach, with thousands of people having their personal data at put at risk.”
“Unfortunately, hacks of these kind are rising year on year though; York is certainly not alone. There are now over 15.5 billion apps in the UK, often containing very personal information – from health data to financials. Yet developers are often more focused on features and usability than on security. In a bid to increase speed to market, developers are prioritising convenience and failing to build security in from the ground up.”