Did UK city council over-react to a vulnerability report in its recycling app or not?

Police called, but this doesn’t sound like a criminally-minded hack to me.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Did UK city council over-react to a vulnerability report in its recycling app or not?

Earlier this month, the council of the British city of York contacted users of its One Planet York app, warning that an unauthorised third-party had accessed their personal information including name, addresses, postcode, email addresses, and telephone number, alongside their “encrypted password.”

The One Planet York app, which aimed to improve the city’s environmental performance by providing recycling advice and a bin collection calendar for residents, was said to contain an API vulnerability that could allow unauthorised parties to access personal data.

According to City of York Council, the app was permanently withdrawn and users were advised to remove it from their smartphones and change their passwords. According to a BBC News, almost 6000 people could be affected by the data breach which, the council said, had been reported to the police.

Notification letter to app users. Click for a larger version.
Notification letter to app users. Click for a larger version.

It’s a story we’ve heard before, right? Bad guy hacks service. Grabs lots of personal data with the possible intention of scamming innocent users, or breaking into their other online accounts. Cops on the trail…

Well, not so fast.

Because if you read a little deeper, you find out just how the council discovered its app had a security hole:

How did City of York Council become aware of the breach?
A third party, who we believe was behind the deliberate unauthorised access, shared a small, redacted sample of the information they had extracted. Their email stated they provided this information to make us aware of the issue and enable us to address it.

That’s not a huge amount of detail, but that sounds very much like a vulnerability researcher discovered a security hole in an app used by thousands of people, and reported the problem privately and responsibly.

So what has happened to the data now? The City of York Council says it can’t be sure, but attempts to reassure users that the person who contacted them appeared to be publicly-spirited rather than criminally-minded.

Where is the breached data now?
We cannot say for certain what the third party responsible has done with the data. They notified us of the vulnerability and have not requested anything in return which suggests they are someone who looks for data vulnerabilities in the public interest. We have requested they securely delete all traces of the data from their systems and advise you to follow the guidance set out below.

Some in the computer security community feel that the council over-reacted by reporting the incident to the police. See this tweet from HaveIBeenPwned’s Troy Hunt, for instance.

And I agree that this particular wording in the notification letter to users does feel uncomfortable:

“We have notified the police of this deliberate and unauthorised access by a third party.”

It’s not as though anything in that sentence is untrue. It *was* deliberate access, and it was done without the permission of the council. But the implication is that it was also done with criminal intent.

Words matter.

After all, the last thing we want is to strike fear into security researchers that responsibly disclosing vulnerabilities might lead to their collar being felt.

But was informing the cybercrime-fighting authorities necessarily inappropriate? I’m not sure it was.

Sign up to our free newsletter.
Security news, advice, and tips.

On Twitter, the council said that it attempted to discuss the security incident with the person who informed them (and to understand their actions) but received no reply.

Council tweet

Ask yourself this, if you were a public body who had apparently left thousands of citizens’ personal information exposed for unauthorised parties to access – wouldn’t you think it’s better to cover all your bases, rather than cross your fingers and hope things will turn out alright?

Even if the vulnerability reporter had no intention of exploiting the vulnerable data, who was to say that others might not have taken advantage of the same security hole with malicious intent?

Maybe the advisory to One York App’s users could have been written more carefully, but I’m not sure – from what has been disclosed publicly so far – that they really did anything else that wrong in their handling of this incident.

For its part, North Yorkshire Police’s Digital Investigation & Intelligence Unit today sent out a positive message reinforcing its belief that the researcher had acted properly and that responsible vulnerability disclosure was an important part of security.

The story it seems is this: Guy found software vulnerability in app, app withdrawn, users advised to change their passwords in an abundance of caution.

Lets hope that no-one else exploited the vulnerability, and rather than devoting too much time on beating up City of York Council we devote a little more effort into wondering what other vulnerable apps might be out there that could be leaking innocent users’ data.

Update November 27 2018: More details on One Planet York app vulnerability don’t paint council in a good light


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.