UK ruling party's conference app editable by world+dog, blabs members' digits

While Nadine Dorries' website extols 'block-chain spanning the 499km Irish border'


The UK's Conservative Party has kicked off its annual conference by exposing its MPs' phone numbers to anyone able to guess their email addresses.

Party chairman Brandon Lewis was planning to sell the "interactive" app – which will allow attendees to give feedback on speeches as they happen – as evidence that the ruling party was embracing tech in a bid to win over the youth vote (another idea was to have the culture secretary appear as a hologram).

But soon after its launch, users took to Twitter to point out that that not only were contact details and personal information visible – they could also be edited.

Particular targets appeared to be Michael Gove, whose picture was changed to that of his former boss Rupert Murdoch, and Boris Johnson, whose name and profile picture were reportedly changed during the incident.

Crowd Comms, the company behind the app, said the error "meant that a third party in possession of a conference attendee's email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo".

Since email addresses are often pretty easy to guess, or – in the case of MPs or other professionals registered on the app – a case of public record, the cock-up had a wide potential impact.

However, Lewis – who declined to say how many people had been affected – insisted that a "limited number of delegates" were hit.

In a video interview, he told Sky News that the party was contacting them to outline "exactly what has happened" – the text of this note has been shared on Twitter, and points the finger firmly at the app developer.

Crowd Comms claimed that the error was "rectified within 30 minutes", but it isn't clear when they started the clock started ticking, as it is possible the company was informed about the breach privately before it was put on Twitter.

The snafu is a huge embarrassment for the Tories at a time when they are trying to manage the much tougher problem of Britain's exit from the European Union, and improve its reputation with the public as the threat of another election remains real.

It also follows a disastrous 2017 conference, which saw PM Theresa May handed a P45* during her keynote, after which the letter "F" fell off the slogan on the board behind her.

However, one Tory MP who might be having a quiet smirk about the incident is Matt Hancock (the then digital secretary, now health secretary), whose eponymous app launch was widely criticised for its data privacy and security – but at least it didn't expose people's phone numbers.

Both Crowd Comms and the Conservatives have issued the requisite apologies for the error, while the Information Commissioner's Office has confirmed it is making enquiries.

Whether it will take action against the Conservatives is another question – most recently the party escaped with a ticking off after phone calls made on its behalf "crossed the line" into unlawful direct marketing.

And whether any action will make an impact in the long run is another matter, because, despite their posturing, political parties appear happy to play fast and loose with privacy laws when it enables them to sign people up to their mailing lists.

Meanwhile, Conservative MP Nadine Dorries has become embroiled in her own security blunder after pranksters changed the text on her parliamentary website to include suggestions that the Irish border problem could be solved by drones and the blockchain.

In consultation with Boris, our partners in the D.U.P. [Democractic Unionist Party] and the [pro-Brexit Tory support group] E.R.G. I wish to state that we will insist on a friction-less solution to all security concerns and debate with our Irish colleagues the very real technical solution of building an electronic defense system using solar powered drones to deploy a massive block-chain spanning the 499km Irish border."

The end of the page also states: "Comments, Webshells and shellcode are welcome.

Despite the issue being widely pointed out on social media, her team is either unaware or unable to fix the problem.

Dorries has something of a reputation when it comes to cyber security. Last year she advertised the fact she shouts her passwords out across the office after fellow MP Damian Green was hit with allegations over porn found on his work computer.

The Register has tried to reach Dorries for comment. ®

* "Details of employee leaving work" – the UK government standard tax form given to Brits when they've left or been booted out. Also known as a pink slip...


Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022