The UK Conservative party is learning a hard lesson about the importance of basic security measures in mobile apps. Users have discovered that you could log into the party’s conference app using only an attendee’s email address, providing access to all kinds of sensitive data. And when many of the conference participants are politicians who registered with their email addresses at Parliament… you can guess what happened next.
Users entered the email addresses of major politicians, including Michael Gove and Boris Johnson, and promptly discovered info like mobile phone numbers. In some cases, people started messing with that data. One person changed Johnson’s photo to a porn image, while another altered Gove’s portrait to that of his former boss Rupert Murdoch. It was harder to obtain info for people who weren’t politicians, but they too were vulnerable if you could obtain their email addresses.
CrowdComms, the Australian company behind the app, removed the login feature through an update to curb further abuse. The Conservatives, meanwhile, said they were “investigating the issue further.” While it’s not certain just who decided on the password-free sign-ins, many have criticized the party for a lack of oversight that might have caught such a glaring oversight before the app went live. This was easily avoidable, and may have had lasting consequences beyond the conference.
It’s let me login as Boris Johnson, and just straight up given me all the details used for his registration pic.twitter.com/fLNC06azx7
— Dawn Foster (@DawnHFoster) September 29, 2018
Source: Dawn Foster (Twitter), Guardian
