PSA. Don’t share your password in your app’s release notes

PSA. Don't share your password in your app's release notes

Excited to watch the Guardians of the Galaxy Vol 3 at the cinema, or see what all the fuss is around The Super Mario Bros Movie?

Maybe you’ll leap onto your smartphone, and click on the MyOdeon app to find out what films are playing at your local flicks.

Oh! The OdeonUK app has just been updated… I wonder what new features it has?

Myodeon release notes
Release notes for latest version of MyOdeon app.

What’s New
Version 5.09.500

Updated text
Added Delete function to the app Click on menu> then click on my profile> click on update your details > Delete account> you get a delete warning > then click yes
To test delete function please use this login account and delete
Email: [email protected]
Password: Odeon1234!

Err… that looks awfully like the credentials for a test account, and – if I’m not very much mistaken – “Odeon1234!” is a really very dumb password indeed.

My guess is that this username and password combo was supposed to remain private, and only used by Odeon’s internal technical staff – rather than shared with hundreds of thousands of movie buffs.

Sign up to our free newsletter.
Security news, advice, and tips.

Hopefully there’s no serious harm done by this, but all app developers should take care about what they post in their release notes – just in case it accidentally leaks any helpful information to ne’er-do-wells.

Hat-tip: Thanks to Fiasco on Twitter for bringing Odeon’s curious release notes to my attention.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.