Check the update at the end of this article to discover what really happened.
The popular BBC News smartphone app appears to have been hijacked, or at least its “Breaking News” feature, by mischief-makers who are popping up messages on users’ devices.
NYPD Twitter campaign ‘backfires’ after hashtag hijacked. Push sucks! Pull blows! BREAKING NEWS No nudity in latest episode of Game of Thrones!!! MORE BREAKING NEWS IIIIIII like testing
This is a breaking news story and the BBC News app will bring you updates as they are available
Chances are that the app itself has not been hacked, but it’s possible pranksters have managed to exploit the way in which the BBC feeds in breaking news alerts to push them out to the app’s userbase. Nevertheless, it’s embarrassing and it’s easy to imagine how such a flaw could be exploited to scare into making bad decisions.
Another real possibility is that someone inside the BBC was testing the system and, umm, didn’t realise their message would be seen by the outside world.
I guess we should be grateful that (so far at least) the messages seem to be more designed to amuse. As if there would ever be an episode of Game of Thrones without some gratuitous nudity…
Update: The BBC has confirmed that the messages were sent in error.
We apologise for previous two test push notifications which were sent in error to BBC News app subscribers
— BBC News (UK) (@BBCNews) June 25, 2014
Here is their latest “breaking news” alert:
We apologise for previous two test push notifications from BBC News which were sent in error
One lesson to learn is that if you are testing systems to always use innocuous “TEST” messages rather than ones which could be misinterpreted, or lead to observers (including me!) thinking you might have been hacked.
It’s good to know that the app hasn’t been compromised, and this is just the BBC goofing up in a fairly harmless way. Hopefully they will be more careful next time.
And yes, I am losing that game of chess…
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “BBC News app hijacked? Bogus breaking news alerts posted”
Already confirmed to have been sent by mistake…why would you report its been hijacked?? Its not like the message was something bad and pointed to a hijack.
Thanks Mike, I was updating the article in pretty much real-time as some folks were freaking out about the BBC alert.
My initial post was six minutes before the BBC confirmed what was really going on.
Summary below this block of text…
I'll refute (sort of) your suggestion TEST. Instead of doing that they can do better. Especially easy seeing as how ISPs love making customers pay for static IPs so that they can conserve their allocated IPs so that we can make IPv6 even slower (because around, what, 20 years, is too short!). But even then the fact there are private IP blocks (even before ISPs started handing out dynamic IPs) for private use means this option is possible. And realistically you can do the same with IPv6. In fact, I do it with both IPv4 and IPv6 (seeing as how IPv6 is so large it isn't exactly hard to slice off subnet for "private" use… and with proper firewalling/etc it is more or less private anyway). The idea is this: you make use of DNS servers (let's give the example of BIND) functionality of 'views' (as BIND calls it). Essentially an acl (access control list for those who don't know) which states: if source IP is from this block (let's say 10.0.0.0/8) then resolve to THIS set of IPs. If not resolve to THOSE IPs. And more generally, you can not only (In private namespace) have your own TLD (top level domain for those who don't know). So rather than test things on a public network why not test it on a private network? I have for example two versions of one of my websites (or more specifically a test alias for a virtual host in web server config).
Summary for those who need/want it :
Of course this might not always apply but there is ALWAYS a way to have a staging setup for this type of thing. Basically you have a test environment so that you CAN see how it looks or test whatever you need but only you and those you want to, will see it, no one else.