Tory party conference app with ZERO login security hacked by pranksters

happygeek 0 1K Views

Guardian newspaper columnist Dawn Foster posted images on Twitter this weekend showing how she was able to login to the official Conservative party conference app as Boris Johnson, until recently the UK Foreign Secretary. Not only was there no password required to login to the app, all that was required was an email address, but once in all the details of user registration were accessible. So, in the case of Alexander Boris de Pfeffel Johnson (yes, that is his real name) that meant contact details such as his mobile phone number. It also meant that the logged in user could then post messages and comments in the account holders name.

app-attack01.jpg

The Conservative party issued a statement on Saturday which apologised for "any concern caused" and confirmed that "the technical issue has been resolved and the app is now functioning securely." However, not before Boris Johnson's profile image had been changed to a pornographic one and that of Environment Secretary, Michael Gove, swapped for a picture of Rupert Murdoch. Some ministers, and other MPs, apparently reported receiving nuisance calls following the app breach.

The Information Commissioner's Office has confirmed that it is investigating the incident, and bite the Tories with a large fine. Under the EU General Data Protection Regulation (GDPR), which the app stated it complied with in it's privacy policy, that could be in the millions.

app-attack02.jpg

You may well think that this particular breach is somewhat small fry, rather than big fish, in terms of the numbers of people and type of data exposed. And you'd be right, were it not that some of the people whose details have been shared online are very big fish indeed within the Conservative party and the UK Government. This means that the political fallout could be more problematical than the regulatory financial consequences. Especially when you consider the push for more regulation of social networks, law enforcement access to encrypted to data and the like, from the direction of, erm, the Tories. One has to wonder how they are proposing to keep all the data collected by increased snooping powers safe when they cannot even secure a relatively simple, and distinctly small, thing as a conference app.

app-attack03.jpg

Member Avatar for JamesCherrill
JamesCherrill 4,733 Most Valuable Poster

Does logging in to a system that requires no password count as "hacking"?

Member Avatar for rproffitt
rproffitt 2,565 "Nothing to see here."

A funny hack would be to change all the attendee photos to Boris Yeltsin. Well that would have been a hoot.

I can share that the few encounters with political parties is they tend to be cheap when it comes to web works. It shows at times.

Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

Does logging in to a system that requires no password count as "hacking"?

You may well have a point there ;-)

Member Avatar for Reverend Jim
Reverend Jim 4,780 Hi, I'm Jim, one of DaniWeb's moderators.

Does logging in to a system that requires no password count as "hacking"?

There was a case a while ago where two men discovered that they could manipulate a video poker machine by pressing buttons in a very specific sequence. They were charged with hacking when they won a pile of money but their lawyer successfully argued that they were legally entitled to press the buttons in any sequence they wanted.

Member Avatar for alan.davies
alan.davies 185 What's this?

DeTE3m6WkAA5Pbx.jpg

This post has no text-based content.
Reverend Jim commented: Quit clowning around ^_^ +15
rproffitt commented: Ah, our recent political convention. +15
happygeek commented: Boris and Rees-Mogg? +16
Member Avatar for pty
pty 882 Posting Pro

And these clowns want companies to add backdoors and to circumvent encryption. I hope the GPDR gives them a nice kick up the arse while we embarrass ourselves on the world stage by leaving the EU.

Edited by pty because: Change Europe to EU. Made it sound geographic!
rproffitt commented: Sounds like The Clash to me. +15
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Edit Preview