Guardian newspaper columnist Dawn Foster posted images on Twitter this weekend showing how she was able to login to the official Conservative party conference app as Boris Johnson, until recently the UK Foreign Secretary. Not only was there no password required to login to the app, all that was required was an email address, but once in all the details of user registration were accessible. So, in the case of Alexander Boris de Pfeffel Johnson (yes, that is his real name) that meant contact details such as his mobile phone number. It also meant that the logged in user could then post messages and comments in the account holders name.

app-attack01.jpg

The Conservative party issued a statement on Saturday which apologised for "any concern caused" and confirmed that "the technical issue has been resolved and the app is now functioning securely." However, not before Boris Johnson's profile image had been changed to a pornographic one and that of Environment Secretary, Michael Gove, swapped for a picture of Rupert Murdoch. Some ministers, and other MPs, apparently reported receiving nuisance calls following the app breach.

The Information Commissioner's Office has confirmed that it is investigating the incident, and bite the Tories with a large fine. Under the EU General Data Protection Regulation (GDPR), which the app stated it complied with in it's privacy policy, that could be in the millions.

app-attack02.jpg

You may well think that this particular breach is somewhat small fry, rather than big fish, in terms of the numbers of people and type of data exposed. And you'd be right, were it not that some of the people whose details have been shared online are very big fish indeed within the Conservative party and the UK Government. This means that the political fallout could be more problematical than the regulatory financial consequences. Especially when you consider the push for more regulation of social networks, law enforcement access to encrypted to data and the like, from the direction of, erm, the Tories. One has to wonder how they are proposing to keep all the data collected by increased snooping powers safe when they cannot even secure a relatively simple, and distinctly small, thing as a conference app.

app-attack03.jpg

About the Author

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Does logging in to a system that requires no password count as "hacking"?

A funny hack would be to change all the attendee photos to Boris Yeltsin. Well that would have been a hoot.

I can share that the few encounters with political parties is they tend to be cheap when it comes to web works. It shows at times.

Does logging in to a system that requires no password count as "hacking"?

You may well have a point there ;-)

Does logging in to a system that requires no password count as "hacking"?

There was a case a while ago where two men discovered that they could manipulate a video poker machine by pressing buttons in a very specific sequence. They were charged with hacking when they won a pile of money but their lawyer successfully argued that they were legally entitled to press the buttons in any sequence they wanted.

And these clowns want companies to add backdoors and to circumvent encryption. I hope the GPDR gives them a nice kick up the arse while we embarrass ourselves on the world stage by leaving the EU.

commented: Sounds like The Clash to me. +15