- The leak allowed miscreants to access personal contact information of other conference attendees, without authentication.
- To exploit the flaw, all one needed to do is press a button and guess a relevant email address of any attendee.
The personal data of several British MPs was leaked by a mobile conference app. The breach was caused by a vulnerability in the app, which the UK Conservative Party used for registering attendees of a conference. The app allowed users to access personal contact information of attendees, without a password or OTP verification.
The bug was discovered on the eve of September 29, when the UK’s Conservative Party started their conference in Birmingham. On Saturday afternoon, Guardian columnist Dawn Foster who discovered the bug, took to Twitter to report the details of the breach.
To exploit the vulnerability, users need to just press a button and guess a relevant email address of any attendee. This technique allegedly gave Foster complete access to the attendee's profile information, without even prompting them for a password. According to a BBC report, this app was created by an Australian firm named Crowd Comms.
Cybercriminals reportedly used the flaw to log in to the app and make changes to users’ personal details and profile information. In one such instance, a user accessed the account of Boris Johnson, the secretary of state for foreign and commonwealth affairs, and replaced the profile picture with a pornographic image.
In another case, the profile image of Michael Gove, the secretary of state for environment, food, and rural affairs, was replaced with a photo of Rupert Murdoch. Murdoch is the former CEO of 21 Century Fox and the current chairman of News Corp, which owns the Wall Street Journal and other successful publications. Murdoch also previously employed Gove.
Some phone numbers and email addresses of British MPs were posted on Twitter, and some victims also received prank calls and messages, according to a report ZDNet.
Crowd Comms released an official statement, apologizing for the incident. The statement titled “An apology to the Conservative Party and its Conference attendees” read, “An error meant that a third party in possession of a conference attendee’s email address was able, without further authentication, to potentially see data which the attendee had not wished to share – name, email address, phone number, job title, and photo.”
According to Crowd Comms’ statement, the error was rectified within 30 minutes. The firm also plans to notify the ICO (Information Commissioner's office) about the issue.
“Organisations have a legal duty to keep personal data safe and secure. Under the GDPR they must notify the ICO within 72 hours of becoming aware of a personal data breach if it could pose a risk to people's rights and freedoms,” ICO said in a statement, adding that it “will be making inquiries” into the breach.