Security Flaws In Conservative Party App Lets Public Log In As Government Officials
Ever wanted to live the exciting life of a senior UK government minister? For little while last month, you could pretend to be one after the Conservative Party released a phone app for their annual conference. A security flaw in the app would allow anyone to log in as an attendee of the event simply by entering their email address.
Guardian columnist Dawn Foster discovered the security hole on September 29 and publicized it on Twitter by demonstrating how she had been able to log into the app as Boris Johnson, former mayor of London and more recently Secretary of State for Foreign and Commonwealth Affairs.
"It's let me login as Boris Johnson, and just straight up given me all the details used for his registration," Foster wrote. "I'm the most tech illiterate person alive, and I've done this, imagine there are plenty more security bugs."
The app, developed by the Australian company CrowdComms, contained personal information for everyone registered to attend the Conservative Party Conference, including party officials, members of parliament, diplomats, guest speakers, and journalists. Anyone accessing a user account via the security flaw would have been able to view their personal phone number and other private data.
The only thing required to access a registrant's account was their email address, and many lawmakers registered with government email addresses that are known to the public. Some politicians had their information posted to the web or altered within the app before CrowdComms was able to fix it. Reportedly, at least two cabinet ministers received prank phone calls, and other politicians had their profile photos changed to something embarrassing.
After Foster tweeted her findings, a representative of the Conservative Party addressed the breach, saying: "The technical issue has been resolved and the app is now functioning securely. We are investigating the issue further and apologise for any concern caused."
The Information Commissioner's Office, which oversees matters of digital privacy in the UK, also spoke out and announced that they would be making their own inquiries. "Organisations have a legal duty to keep personal data safe and secure," they wrote in a blog post on their website. "Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach.