The council have sent a letter, obtained by the York Press, out to all users of the application to inform them of the breach stating that: “We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward.”
“We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device,” the letter advises.
Rapidspike York Disclosure
Rapidspike comment in a blog post that their: “Developer identified a significant security vulnerability with the One Planet Yorkapp: it was sending the personal details of its users, to other users of the app, whenever the ‘Leaderboard’ page was selected.”
“Accessing the app ‘Leaderboard’ screen caused the API to push the app’s top-ten users’ personal data, in plain text, to the app.”
“We must be really clear at this point: our developer did not manipulate any requests. The app simply transmitted this personal data as a response to the GET request for the ‘Leaderboard’ page. This personal data was sent to any user of the app when they browsed that page.”
Rapidspike discovered the vulnerability on the 26th of October and reported it to the One Planet Application team on the 27th of October
Commenting in an emailed statement to Computer Business Review Martin Thorpe Enterprise Security Architect at Venafi said that: “This is a serious breach, with thousands of people having their personal data at put at risk.”
“Unfortunately, hacks of these kind are rising year on year though; York is certainly not alone. There are now over 15.5 billion apps in the UK, often containing very personal information – from health data to financials. Yet developers are often more focused on features and usability than on security. In a bid to increase speed to market, developers are prioritising convenience and failing to build security in from the ground up.”
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.