More details on One Planet York app vulnerability don’t paint council in a good light

Graham Cluley

More details on One Planet York app vulnerability doesn't paint council in a good light

More details on One Planet York app vulnerability doesn't paint council in a good light

For the past 24 hours or so, my interest has been piqued by the curious story of how a vulnerability was found in the City of York council’s recycling app, and the council’s response to being told about the data-spilling flaw.

Now new information has come to light which makes it more difficult to defend some of the UK city’s actions and communications.

It appears that the initial discovery of the vulnerability was done by an unnamed employee of Leeds-based technology firm RapidSpike.

In a blog post, RapidSpike gives its side of the story denying the council’s claims that its employee failed to respond to the council’s questions (in fact, the firm claims, he responded within 18 minutes).

Compare what City of York council tweeted…

Council tweet

… to the email exchange shared by RapidSpike:

Emails

That looks to me like the person who found the vulnerability *was* responding to the council’s emails.

Vulnerability researcher 1. City of York Council 0.

Now let’s look at the actual vulnerability in the One Planet York app.

RapidSpike’s employee discovered that if anyone accessed the One Planet York app’s “Leaderboard” screen, personal data of the app’s top ten users were sent to the app in plaintext. According to RapidSpike’s blog post that included a wealth of sensitive information:

This personal data included the users’ name, email address, phone number, postal address, postcode and other sensitive information such as their hashed password (which appeared to be a SHA256 hash, at least) and that password’s salt.

Notice something? The vulnerability researcher didn’t have to do anything convoluted or sneaky to get the app to carelessly send unencrypted sensitive information to his smartphone. All he had to do was click on the app’s leaderboard and the information was sent.

By that logic, if the researcher was guilty of “deliberate and unauthorised access” then so should anybody else who was running the app.

We need to arrest all of York! Or at least the app’s nearly 6000 users.

Vulnerability researcher 2. City of York Council 0.

To be fair, I do think some of the actions taken by the council were good ones. They withdrew the app, contacted users, told them to change their passwords, informed the ICO. Maybe they were even justified in contacting the police in case others might have abused the sloppily-coded app to extract citizen’s personal information.

But what York council seems to have done wrong is present the incident as though a vulnerability researcher wasn’t doing everything in their power to be responsible and get a serious problem fixed as soon as possible.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “More details on One Planet York app vulnerability don’t paint council in a good light”

  1. Basically they were using the researcher as a scapegoat hoping that the attention being caused by egg on their faces could be distracted by claims that the researcher was a malicious hacker. Very sad. I also suspect that the people making the decisions probably hadn't got a clue what was going on and as you say performed a typical knee jerk reaction.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.