Great Article! I just shared that with a group of people that are primarily not Hackers but web devs. This is a perfect example that quite often, hacking is just debugging.
I always like these trivial vulnerabilities too. Reading about IDORs is always fun
Have worked in security a long time. Insecure software that processes PII is designed to be deniable. This is why we need hackers like this fellow to verify anything that processes PII.
I see this fairly often, where a manager in an institution wants to do something illegal or deniable with valuable PII and skirt regulations, they make the external commitment that it's "secure," and then push the implementation down to technologists to implement without serious controls.
If it mattered to the owners of the contact tracing app that it were trustworthy and secure, it would have been. If you want to see what it looks like when security matters, check Apple Pay and other payment specs. It didn't matter in this contact tracing app because someone decided it didn't. I'd argue the so called "professional" pretense of goodwill and sincere intent when it comes to the mass collection of PII is gaslighting bullshit.
In 30 years I could see there being a truth commission where now-aging ad-tech and other developers will confess how they created the systems to facilitate a very dark period.
There is a big dilemma about privacy in such contact tracing apps, solutions, that require a post of its own.
I mean, if you have no idea who access the data, who can use the data.
Yes anyone can put a TOS or privacy policy that no one can see the data, but even though that's the case, there have been numerous occasions where employees were found to misuse PII.
Great find through what looks like simple use of developer tools, OP.
Since you, the author, have submitted the post, I’d suggest changing the dashboard screenshot with the names also partially blacked out to avoid exposing people who have used this system. It’s possible that some of those names are rare or unique or the way they’re spelled makes them stand out.
Yes, It's not 100% hacking, but I guess I exploited a vulnerability in their API by creating an administrator account to gain access to their dashboard.
Thanks for the comment, I will change the dashboard picture
16 comments
[ 0.24 ms ] story [ 46.6 ms ] threadStoring the location of all of your citizens in a system that was developed by volunteers for free with little evidence of code review...
And they thought that this was a good defence?! I wouldn’t be totally surprised if the volunteers were another nation state.
I'm happy I was able to find the vulnerability within 4 days of it's public release
I always like these trivial vulnerabilities too. Reading about IDORs is always fun
Yes it was a simple debugging everything done with the browser and with some code review :)
I see this fairly often, where a manager in an institution wants to do something illegal or deniable with valuable PII and skirt regulations, they make the external commitment that it's "secure," and then push the implementation down to technologists to implement without serious controls.
If it mattered to the owners of the contact tracing app that it were trustworthy and secure, it would have been. If you want to see what it looks like when security matters, check Apple Pay and other payment specs. It didn't matter in this contact tracing app because someone decided it didn't. I'd argue the so called "professional" pretense of goodwill and sincere intent when it comes to the mass collection of PII is gaslighting bullshit.
In 30 years I could see there being a truth commission where now-aging ad-tech and other developers will confess how they created the systems to facilitate a very dark period.
I mean, if you have no idea who access the data, who can use the data.
Yes anyone can put a TOS or privacy policy that no one can see the data, but even though that's the case, there have been numerous occasions where employees were found to misuse PII.
Since you, the author, have submitted the post, I’d suggest changing the dashboard screenshot with the names also partially blacked out to avoid exposing people who have used this system. It’s possible that some of those names are rare or unique or the way they’re spelled makes them stand out.
Thanks for the comment, I will change the dashboard picture