BBC News app hijacked? Bogus breaking news alerts posted

Check the update at the end of this article to discover what really happened.

The popular BBC News smartphone app appears to have been hijacked, or at least its "Breaking News" feature, by mischief-makers who are popping up messages on users' devices.

BBC News app

NYPD Twitter campaign 'backfires' after hashtag hijacked. Push sucks! Pull blows! BREAKING NEWS No nudity in latest episode of Game of Thrones!!! MORE BREAKING NEWS IIIIIII like testing

This is a breaking news story and the BBC News app will bring you updates as they are available

Chances are that the app itself has not been hacked, but it's possible pranksters have managed to exploit the way in which the BBC feeds in breaking news alerts to push them out to the app's userbase. Nevertheless, it's embarrassing and it's easy to imagine how such a flaw could be exploited to scare into making bad decisions.

BBC / Game of ThronesAnother real possibility is that someone inside the BBC was testing the system and, umm, didn't realise their message would be seen by the outside world.

I guess we should be grateful that (so far at least) the messages seem to be more designed to amuse. As if there would ever be an episode of Game of Thrones without some gratuitous nudity...

Update: The BBC has confirmed that the messages were sent in error.

Here is their latest "breaking news" alert:

BBC apologises

We apologise for previous two test push notifications from BBC News which were sent in error

One lesson to learn is that if you are testing systems to always use innocuous "TEST" messages rather than ones which could be misinterpreted, or lead to observers (including me!) thinking you might have been hacked.

It's good to know that the app hasn't been compromised, and this is just the BBC goofing up in a fairly harmless way. Hopefully they will be more careful next time.

And yes, I am losing that game of chess...

Tags: , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , ,

3 Responses

  1. Mike

    June 25, 2014 at 10:49 am #

    Already confirmed to have been sent by mistake…why would you report its been hijacked?? Its not like the message was something bad and pointed to a hijack.

    • Graham Cluley in reply to Mike.

      June 25, 2014 at 10:59 am #

      Thanks Mike, I was updating the article in pretty much real-time as some folks were freaking out about the BBC alert.

      My initial post was six minutes before the BBC confirmed what was really going on.

  2. Coyote

    June 26, 2014 at 12:24 am #

    Summary below this block of text…
    I'll refute (sort of) your suggestion TEST. Instead of doing that they can do better. Especially easy seeing as how ISPs love making customers pay for static IPs so that they can conserve their allocated IPs so that we can make IPv6 even slower (because around, what, 20 years, is too short!). But even then the fact there are private IP blocks (even before ISPs started handing out dynamic IPs) for private use means this option is possible. And realistically you can do the same with IPv6. In fact, I do it with both IPv4 and IPv6 (seeing as how IPv6 is so large it isn't exactly hard to slice off subnet for "private" use… and with proper firewalling/etc it is more or less private anyway). The idea is this: you make use of DNS servers (let's give the example of BIND) functionality of 'views' (as BIND calls it). Essentially an acl (access control list for those who don't know) which states: if source IP is from this block (let's say 10.0.0.0/8) then resolve to THIS set of IPs. If not resolve to THOSE IPs. And more generally, you can not only (In private namespace) have your own TLD (top level domain for those who don't know). So rather than test things on a public network why not test it on a private network? I have for example two versions of one of my websites (or more specifically a test alias for a virtual host in web server config).

    Summary for those who need/want it :
    Of course this might not always apply but there is ALWAYS a way to have a staging setup for this type of thing. Basically you have a test environment so that you CAN see how it looks or test whatever you need but only you and those you want to, will see it, no one else.

Leave a Reply