View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 29, 2018updated 03 Dec 2018 4:06pm

RapidSpike Identify Themselves as White Hats in the York Council Breach

"Accessing the app ‘Leaderboard’ screen caused the API to push the app’s top-ten users’ personal data, in plain text, to the app"

By CBR Staff Writer

Leeds-based digital security enterprise Rapidspike have identified one of their developers as the ethical hacker who exposed the vulnerability in a York Council application.

The company contacted York council to show how they had accessed the data belonging to nearly 6,000 Yorkshire residents though a Yorkshire Council application.

The One Planet York application was designed to help residents in York find out the bin collection dates, while also providing recycling advice.

The city of York Council have stated that the application contained 5,994 records which stored information such as user phone numbers, addresses and encrypted passwords.

The council have sent a letter, obtained by the York Press, out to all users of the application to inform them of the breach stating that: “We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward.”

“We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device,” the letter advises.

Rapidspike York Disclosure

Rapidspike comment in a blog post that their: “Developer identified a significant security vulnerability with the One Planet Yorkapp: it was sending the personal details of its users, to other users of the app, whenever the ‘Leaderboard’ page was selected.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

“Accessing the app ‘Leaderboard’ screen caused the API to push the app’s top-ten users’ personal data, in plain text, to the app.”

“We must be really clear at this point: our developer did not manipulate any requests. The app simply transmitted this personal data as a response to the GET request for the ‘Leaderboard’ page. This personal data was sent to any user of the app when they browsed that page.”

Rapidspike discovered the vulnerability on the 26th of October and reported it to the One Planet Application team on the 27th of October

See Also: Parliament Tears Into National Cyber Security Programme, Calls for Audit

Commenting in an emailed statement to Computer Business Review Martin Thorpe Enterprise Security Architect at Venafi said that: “This is a serious breach, with thousands of people having their personal data at put at risk.”

“Unfortunately, hacks of these kind are rising year on year though; York is certainly not alone. There are now over 15.5 billion apps in the UK, often containing very personal information – from health data to financials. Yet developers are often more focused on features and usability than on security. In a bid to increase speed to market, developers are prioritising convenience and failing to build security in from the ground up.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.