Guardian newspaper columnist Dawn Foster posted images on Twitter this weekend showing how she was able to login to the official Conservative party conference app as Boris Johnson, until recently the UK Foreign Secretary. Not only was there no password required to login to the app, all that was required was an email address, but once in all the details of user registration were accessible. So, in the case of Alexander Boris de Pfeffel Johnson (yes, that is his real name) that meant contact details such as his mobile phone number. It also meant that the logged in user could then post messages and comments in the account holders name.

app-attack01.jpg

The Conservative party issued a statement on Saturday which apologised for "any concern caused" and confirmed that "the technical issue has been resolved and the app is now functioning securely." However, not before Boris Johnson's profile image had been changed to a pornographic one and that of Environment Secretary, Michael Gove, swapped for a picture of Rupert Murdoch. Some ministers, and other MPs, apparently reported receiving nuisance calls following the app breach.

The Information Commissioner's Office has confirmed that it is investigating the incident, and bite the Tories with a large fine. Under the EU General Data Protection Regulation (GDPR), which the app stated it complied with in it's privacy policy, that could be in the millions.

app-attack02.jpg

You may well think that this particular breach is somewhat small fry, rather than big fish, in terms of the numbers of people and type of data exposed. And you'd be right, were it not that some of the people whose details have been shared online are very big fish indeed within the Conservative party and the UK Government. This means that the political fallout could be more problematical than the regulatory financial consequences. Especially when you consider the push for more regulation of social networks, law enforcement access to encrypted to data and the like, from the direction of, erm, the Tories. One has to wonder how they are proposing to keep all the data collected by increased snooping powers safe when they cannot even secure a relatively simple, and distinctly small, thing as a conference app.

app-attack03.jpg

753 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Does logging in to a system that requires no password count as "hacking"?

A funny hack would be to change all the attendee photos to Boris Yeltsin. Well that would have been a hoot.

I can share that the few encounters with political parties is they tend to be cheap when it comes to web works. It shows at times.

Does logging in to a system that requires no password count as "hacking"?

You may well have a point there ;-)

Does logging in to a system that requires no password count as "hacking"?

There was a case a while ago where two men discovered that they could manipulate a video poker machine by pressing buttons in a very specific sequence. They were charged with hacking when they won a pile of money but their lawyer successfully argued that they were legally entitled to press the buttons in any sequence they wanted.

DeTE3m6WkAA5Pbx.jpg

happygeek commented: Boris and Rees-Mogg? +16
rproffitt commented: Ah, our recent political convention. +15
Reverend Jim commented: Quit clowning around ^_^ +15
pty 867

And these clowns want companies to add backdoors and to circumvent encryption. I hope the GPDR gives them a nice kick up the arse while we embarrass ourselves on the world stage by leaving the EU.

rproffitt commented: Sounds like The Clash to me. +15