For the past 24 hours or so, my interest has been piqued by the curious story of how a vulnerability was found in the City of York council’s recycling app, and the council’s response to being told about the data-spilling flaw.
Now new information has come to light which makes it more difficult to defend some of the UK city’s actions and communications.
It appears that the initial discovery of the vulnerability was done by an unnamed employee of Leeds-based technology firm RapidSpike.
In a blog post, RapidSpike gives its side of the story denying the council’s claims that its employee failed to respond to the council’s questions (in fact, the firm claims, he responded within 18 minutes).
Compare what City of York council tweeted…
… to the email exchange shared by RapidSpike:
That looks to me like the person who found the vulnerability *was* responding to the council’s emails.
Vulnerability researcher 1. City of York Council 0.
Now let’s look at the actual vulnerability in the One Planet York app.
RapidSpike’s employee discovered that if anyone accessed the One Planet York app’s “Leaderboard” screen, personal data of the app’s top ten users were sent to the app in plaintext. According to RapidSpike’s blog post that included a wealth of sensitive information:
This personal data included the users’ name, email address, phone number, postal address, postcode and other sensitive information such as their hashed password (which appeared to be a SHA256 hash, at least) and that password’s salt.
Notice something? The vulnerability researcher didn’t have to do anything convoluted or sneaky to get the app to carelessly send unencrypted sensitive information to his smartphone. All he had to do was click on the app’s leaderboard and the information was sent.
By that logic, if the researcher was guilty of “deliberate and unauthorised access” then so should anybody else who was running the app.
We need to arrest all of York! Or at least the app’s nearly 6000 users.
Vulnerability researcher 2. City of York Council 0.
To be fair, I do think some of the actions taken by the council were good ones. They withdrew the app, contacted users, told them to change their passwords, informed the ICO. Maybe they were even justified in contacting the police in case others might have abused the sloppily-coded app to extract citizen’s personal information.
But what York council seems to have done wrong is present the incident as though a vulnerability researcher wasn’t doing everything in their power to be responsible and get a serious problem fixed as soon as possible.
Basically they were using the researcher as a scapegoat hoping that the attention being caused by egg on their faces could be distracted by claims that the researcher was a malicious hacker. Very sad. I also suspect that the people making the decisions probably hadn't got a clue what was going on and as you say performed a typical knee jerk reaction.