UK ruling party's conference app editable by world+dog, blabs members' digits
While Nadine Dorries' website extols 'block-chain spanning the 499km Irish border'
The UK's Conservative Party has kicked off its annual conference by exposing its MPs' phone numbers to anyone able to guess their email addresses.
Party chairman Brandon Lewis was planning to sell the "interactive" app – which will allow attendees to give feedback on speeches as they happen – as evidence that the ruling party was embracing tech in a bid to win over the youth vote (another idea was to have the culture secretary appear as a hologram).
But soon after its launch, users took to Twitter to point out that that not only were contact details and personal information visible – they could also be edited.
The Tory conference app has no security at all, you can just edit other MPs details and see it all regardless of settings as they didn’t add authentication 🤷🏾♀️ H/T @DawnHFoster pic.twitter.com/lJdomlsMB4— Kevin Beaumont (@GossiTheDog) September 29, 2018
Particular targets appeared to be Michael Gove, whose picture was changed to that of his former boss Rupert Murdoch, and Boris Johnson, whose name and profile picture were reportedly changed during the incident.
I’ve updated his position to something more accurate. pic.twitter.com/ydo9edmYc4— Neil Claxton (@MintRoyale) September 29, 2018
Crowd Comms, the company behind the app, said the error "meant that a third party in possession of a conference attendee's email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title and photo".
Since email addresses are often pretty easy to guess, or – in the case of MPs or other professionals registered on the app – a case of public record, the cock-up had a wide potential impact.
However, Lewis – who declined to say how many people had been affected – insisted that a "limited number of delegates" were hit.
In a video interview, he told Sky News that the party was contacting them to outline "exactly what has happened" – the text of this note has been shared on Twitter, and points the finger firmly at the app developer.
Almost 24 hours since a data breach which exposed the private contact details of hundreds of people, the Conservatives finally send out an email about their conference app. No apology. Everything blamed on the firm they bought the app from. pic.twitter.com/WsTUIvjiXz— Adam Bienkov (@AdamBienkov) September 30, 2018
Crowd Comms claimed that the error was "rectified within 30 minutes", but it isn't clear when they started the clock started ticking, as it is possible the company was informed about the breach privately before it was put on Twitter.
The snafu is a huge embarrassment for the Tories at a time when they are trying to manage the much tougher problem of Britain's exit from the European Union, and improve its reputation with the public as the threat of another election remains real.
It also follows a disastrous 2017 conference, which saw PM Theresa May handed a P45* during her keynote, after which the letter "F" fell off the slogan on the board behind her.
However, one Tory MP who might be having a quiet smirk about the incident is Matt Hancock (the then digital secretary, now health secretary), whose eponymous app launch was widely criticised for its data privacy and security – but at least it didn't expose people's phone numbers.
Both Crowd Comms and the Conservatives have issued the requisite apologies for the error, while the Information Commissioner's Office has confirmed it is making enquiries.
Whether it will take action against the Conservatives is another question – most recently the party escaped with a ticking off after phone calls made on its behalf "crossed the line" into unlawful direct marketing.
And whether any action will make an impact in the long run is another matter, because, despite their posturing, political parties appear happy to play fast and loose with privacy laws when it enables them to sign people up to their mailing lists.
Meanwhile, Conservative MP Nadine Dorries has become embroiled in her own security blunder after pranksters changed the text on her parliamentary website to include suggestions that the Irish border problem could be solved by drones and the blockchain.
In consultation with Boris, our partners in the D.U.P. [Democractic Unionist Party] and the [pro-Brexit Tory support group] E.R.G. I wish to state that we will insist on a friction-less solution to all security concerns and debate with our Irish colleagues the very real technical solution of building an electronic defense system using solar powered drones to deploy a massive block-chain spanning the 499km Irish border."
The end of the page also states: "Comments, Webshells and shellcode are welcome.
Despite the issue being widely pointed out on social media, her team is either unaware or unable to fix the problem.
Dorries has something of a reputation when it comes to cyber security. Last year she advertised the fact she shouts her passwords out across the office after fellow MP Damian Green was hit with allegations over porn found on his work computer.
The Register has tried to reach Dorries for comment. ®
* "Details of employee leaving work" – the UK government standard tax form given to Brits when they've left or been booted out. Also known as a pink slip...