More details on One Planet York app vulnerability don’t paint council in a good light

City of York council claimed researcher didn’t respond to their questions. But he did reply. Within 18 minutes.

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

More details on One Planet York app vulnerability doesn't paint council in a good light

For the past 24 hours or so, my interest has been piqued by the curious story of how a vulnerability was found in the City of York council’s recycling app, and the council’s response to being told about the data-spilling flaw.

Now new information has come to light which makes it more difficult to defend some of the UK city’s actions and communications.

It appears that the initial discovery of the vulnerability was done by an unnamed employee of Leeds-based technology firm RapidSpike.

Sign up to our free newsletter.
Security news, advice, and tips.

In a blog post, RapidSpike gives its side of the story denying the council’s claims that its employee failed to respond to the council’s questions (in fact, the firm claims, he responded within 18 minutes).

Compare what City of York council tweeted…

Council tweet

… to the email exchange shared by RapidSpike:

Emails

That looks to me like the person who found the vulnerability *was* responding to the council’s emails.

Vulnerability researcher 1. City of York Council 0.

Now let’s look at the actual vulnerability in the One Planet York app.

RapidSpike’s employee discovered that if anyone accessed the One Planet York app’s “Leaderboard” screen, personal data of the app’s top ten users were sent to the app in plaintext. According to RapidSpike’s blog post that included a wealth of sensitive information:

This personal data included the users’ name, email address, phone number, postal address, postcode and other sensitive information such as their hashed password (which appeared to be a SHA256 hash, at least) and that password’s salt.

Notice something? The vulnerability researcher didn’t have to do anything convoluted or sneaky to get the app to carelessly send unencrypted sensitive information to his smartphone. All he had to do was click on the app’s leaderboard and the information was sent.

By that logic, if the researcher was guilty of “deliberate and unauthorised access” then so should anybody else who was running the app.

We need to arrest all of York! Or at least the app’s nearly 6000 users.

Vulnerability researcher 2. City of York Council 0.

To be fair, I do think some of the actions taken by the council were good ones. They withdrew the app, contacted users, told them to change their passwords, informed the ICO. Maybe they were even justified in contacting the police in case others might have abused the sloppily-coded app to extract citizen’s personal information.

But what York council seems to have done wrong is present the incident as though a vulnerability researcher wasn’t doing everything in their power to be responsible and get a serious problem fixed as soon as possible.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

One comment on “More details on One Planet York app vulnerability don’t paint council in a good light”

  1. Matthew Parkes

    Basically they were using the researcher as a scapegoat hoping that the attention being caused by egg on their faces could be distracted by claims that the researcher was a malicious hacker. Very sad. I also suspect that the people making the decisions probably hadn't got a clue what was going on and as you say performed a typical knee jerk reaction.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.