A data breach notification from the City of York has gone awry as new details shed light over the incident, revealing a completely inappropriate response to a responsible disclosure of a vulnerability potentially affecting thousands of users.
On November 16, the City of York Council informed users of the One Planet York waste management mobile app that a third party found a way to access sensitive information belonging to them such as their names, address, email address, phone number, postcode and a hashed version of the login password, along with the salt information.
The council went beyond taking the appropriate steps to minimize the danger to the users and reported the third-party to the police for illegal access to other individual's personal information, despite stating that the individual that reported the problem asked nothing in return and stated that "they provided this information to make us aware of the issue and enable us to address it."
This breach notice from @CityofYork doesn’t feel good: are they saying they built a product with a vulnerability in it, someone reported it to them privately and now they’ve called the cops? Geez I hope not. pic.twitter.com/eQwyRwahf2— Troy Hunt (@troyhunt) November 26, 2018
The police did not treat the matter as a criminal offense since the details provided by the City of York clearly indicated that the report was made in good faith. It turned out that the disclosure came from a developer at tech company RapidSpike, who followed the responsible disclosure protocol from the City of York Council.
After researchers Troy Hunt and Scott Helme drew attention to the problem of the risk of potential legal trouble to the responsible party for doing the right thing, the North Yorkshire Police's Digital Investigation & Intelligence Unit tweeted that the researcher acted correctly.
@troyhunt @Scott_Helme We are aware of the York 'data breach' but please be reassured we don't regard this incident as criminal. We recognise the benefits of software vuln disclosure as part of a healthy security environment and the researcher has acted correctly.— N Yorks DIIU (@NYPDIIU) November 26, 2018
RedSpike released a statement yesterday, clarifying how things developed on their part. The vulnerability was a glaring privacy gap in the design of the app that leaked the private details of One Planet York users to anyone using the app legitimately.
"Accessing the app ‘Leaderboard’ screen caused the API to push the app’s top-ten users’ personal data, in plain text, to the app," RedSpike says.
The company emphasizes that despite having access to the password salt information, the developer did not use the data to compromise or access the Council's servers.
"We must be really clear at this point: our developer did not manipulate any requests. The app simply transmitted this personal data as a response to the GET request for the ‘Leaderboard’ page. This personal data was sent to any user of the app when they browsed that page."
Following the report from the RedSpike developer on One Planet York app exposing personal data, the City of York Council said it reached out to ask that any information collected during the research be destroyed.
The developer replied on the same day, confirming that they had no data stored, so there was nothing to destroy. It appears that the Council did not get the message at that time and considered the matter "a deliberate and unauthorized access" that needed to be brought to the police.
In a tweet today, the Council admits that there was a technical problem that prevented the emails from reaching their destination and that the individual's action was well intended.
One Planet York app update - Following further review it has become clear that the person who identified the issue with the app had tried to contact us but their email had not been received due to security settings.— City of York Council (@CityofYork) November 28, 2018