Did UK city council over-react to a vulnerability report in its recycling app or not?

Police called, but this doesn't sound like a criminally-minded hack to me.

Did UK city council over-react to a vulnerability report in its recycling app or not?

Earlier this month, the council of the British city of York contacted users of its One Planet York app, warning that an unauthorised third-party had accessed their personal information including name, addresses, postcode, email addresses, and telephone number, alongside their “encrypted password.”

The One Planet York app, which aimed to improve the city’s environmental performance by providing recycling advice and a bin collection calendar for residents, was said to contain an API vulnerability that could allow unauthorised parties to access personal data.

According to City of York Council, the app was permanently withdrawn and users were advised to remove it from their smartphones and change their passwords. According to a BBC News, almost 6000 people could be affected by the data breach which, the council said, had been reported to the police.

Notification letter to app users. Click for a larger version.

Notification letter to app users. Click for a larger version.

It’s a story we’ve heard before, right? Bad guy hacks service. Grabs lots of personal data with the possible intention of scamming innocent users, or breaking into their other online accounts. Cops on the trail…

Well, not so fast.

Because if you read a little deeper, you find out just how the council discovered its app had a security hole:

How did City of York Council become aware of the breach?
A third party, who we believe was behind the deliberate unauthorised access, shared a small, redacted sample of the information they had extracted. Their email stated they provided this information to make us aware of the issue and enable us to address it.

That’s not a huge amount of detail, but that sounds very much like a vulnerability researcher discovered a security hole in an app used by thousands of people, and reported the problem privately and responsibly.

So what has happened to the data now? The City of York Council says it can’t be sure, but attempts to reassure users that the person who contacted them appeared to be publicly-spirited rather than criminally-minded.

Where is the breached data now?
We cannot say for certain what the third party responsible has done with the data. They notified us of the vulnerability and have not requested anything in return which suggests they are someone who looks for data vulnerabilities in the public interest. We have requested they securely delete all traces of the data from their systems and advise you to follow the guidance set out below.

Some in the computer security community feel that the council over-reacted by reporting the incident to the police. See this tweet from HaveIBeenPwned’s Troy Hunt, for instance.

And I agree that this particular wording in the notification letter to users does feel uncomfortable:

We have notified the police of this deliberate and unauthorised access by a third party.”

It’s not as though anything in that sentence is untrue. It *was* deliberate access, and it was done without the permission of the council. But the implication is that it was also done with criminal intent.

Words matter.

After all, the last thing we want is to strike fear into security researchers that responsibly disclosing vulnerabilities might lead to their collar being felt.

But was informing the cybercrime-fighting authorities necessarily inappropriate? I’m not sure it was.

On Twitter, the council said that it attempted to discuss the security incident with the person who informed them (and to understand their actions) but received no reply.

Council tweet

Ask yourself this, if you were a public body who had apparently left thousands of citizens’ personal information exposed for unauthorised parties to access - wouldn’t you think it’s better to cover all your bases, rather than cross your fingers and hope things will turn out alright?

Even if the vulnerability reporter had no intention of exploiting the vulnerable data, who was to say that others might not have taken advantage of the same security hole with malicious intent?

Maybe the advisory to One York App’s users could have been written more carefully, but I’m not sure - from what has been disclosed publicly so far - that they really did anything else that wrong in their handling of this incident.

For its part, North Yorkshire Police’s Digital Investigation & Intelligence Unit today sent out a positive message reinforcing its belief that the researcher had acted properly and that responsible vulnerability disclosure was an important part of security.

The story it seems is this: Guy found software vulnerability in app, app withdrawn, users advised to change their passwords in an abundance of caution.

Lets hope that no-one else exploited the vulnerability, and rather than devoting too much time on beating up City of York Council we devote a little more effort into wondering what other vulnerable apps might be out there that could be leaking innocent users’ data.

Update November 27 2018: More details on One Planet York app vulnerability don’t paint council in a good light

Tags: , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.