back to article UK ruling party's conference app editable by world+dog, blabs members' digits

The UK's Conservative Party has kicked off its annual conference by exposing its MPs' phone numbers to anyone able to guess their email addresses. Party chairman Brandon Lewis was planning to sell the "interactive" app – which will allow attendees to give feedback on speeches as they happen – as evidence that the ruling party …

  1. Dan 55 Silver badge
    Black Helicopters

    Plenty more where that came from

    Let's not forget the Conservative Campaigner app (as opposed to the Conservative Conference app) which is even more of a clusterfuck - no thought to GDPR, Facebook and Google slurp, and connected by the way of the developer (uCampaign) to Cambridge Analytica, Vote Leave, the NRA, and Trump-Pence.

    1. MyffyW Silver badge
      Coat

      P45

      Whilst I appreciate you explaining the significance of a P45 to our left-pondian friends it is very definitely not "also known as a pink slip" in this fair Kingdom.

      I like nothing more than relaxing in my pink slip, but it's made of cotton, lace and elastine, and very definitely does not convey my tax status to a subsequent employer.

      1. macjules

        Re: P45

        "Pink Slip" is the US equivalent of a P45.

        There, FTFY

  2. iron Silver badge
    Facepalm

    It occurs to me that by editing someone else's profile Neil Claxton (@MintRoyale) has breached the Misuse of Computers Act and then advertised his crime on Twitter. I hope the Tories send the rozzers round to teach him not to be such an idiot.

    1. James 51

      I doubt it, as long as he had paid for the app. You could argue terms and conditions but I've never heard of a case (other than reselling licenses) going to court. The software house would cease to exist long before the case came to trial.

      1. Anonymous Coward
        Anonymous Coward

        ref: https://en.wikipedia.org/wiki/Computer_Misuse_Act_1990#The_Computer_Misuse_Act

        "unauthorised modification of computer material, punishable by 12 months/maximum fine (or 6 months in Scotland) on summary conviction and/or 10 years/fine on indictment"

        I think the way they define "unauthorised" is if you knew you shouldn't have access - otherwise there wouldn't be computer misuse as all exploitation of a security bug could be defended by "but the computer let me do it". The prosecution will just need to argue that it's obvious the defendant wasn't supposed to be able to edit Boris's profile. How stupidly enormous the security hole was probably doesn't matter.

        EDIT: I'm predicting lots of downvotes here. If you downvote please comment why and with some links would help. The government do pass a lot of stupid laws in the "cyber" area, so if this one is not as stupid as it appears it'd be nice to know why.

        1. James 51
          IT Angle

          https://www.bbc.co.uk/news/uk-england-19009344

          If you take on overly literal reading of the law then you might have a case but I am not sure any conviction would stand up to an appeal.

          BTW the data misuse act is no longer law:

          https://ascentant.co.uk/gdpr-replace-data-protection-act-1998-prepared/

          GDPR would be a far better way to clobber the company responsible (and probably the Tory party too as they would be data controllers in this instance). You could go for deframation too but that could end up making the Tory party look very silly indeed.

          1. Kientha

            Hi James, you seem to be confusing the Data Protection Act 1998 (replaced by GDPR) with the Computer Misuse Act 1990 which is still in effect. GDPR regards the protection of personal data aimed at any organisation that processes personal data. Computer Misuse Act is the overarching "hacking" legislation of the UK

            1. James 51

              Making data this easy to access is a violation of the requirement to protect identifying data and given the extreme ease with which anyone who had access to the app could do all of this, I struggle to describe what was happening as hacking in any sense of the term. You might be able to get a conviction under computer misuse but GDPR covers a lot of the same ground feels like the more relevant legislation. Particularly as only people who had the app and had a right to use it, were using it and ‘I use just exploring the functionality available to me yer honour. It didn’t say anywhere that I couldn’t.’

              I think under a more general point, every company needs to up their securty game and going over the few people who changed the data should take a backseat to getting the parties (both business and political) to take their responsibilities seriously.

              1. Jamie Jones Silver badge

                Remember back in the olden days, we'd sometimes manually remove the last "/" separated field in the URL to go up to the parent page? (before people ruined things with haphazard design, and overloaded inappropriate asynchronous xmlhttprequest usage)

                There was one site where doing so revealed stuff that shouldn't have been revealed, and the owner of the site claimed unauthorised access, as there were no links pointing to the newly derived URL, so it was therefore "hacked". (I can't remember the outcome, and can't find a link, sorry)

                Where do you draw the line?

                1. Ken Moorhouse Silver badge

                  Re: we'd sometimes manually remove the last "/"

                  Difficult question to answer.

                  What do you do if you come home in the middle of the night and find your neighbour's front door wide open? (A situation I experienced many years ago). You could be praised (a) for shutting it (b) going in to check everything was ok (c) ignoring it. You could also be condemned (a) for shutting it (b) going in to check everything was ok (c) ignoring it. If you decide on (b) you will feel obliged to somehow document to a wider audience that this is what you're doing and that your intentions are honorable - yet a thief would probably do the same and retract the evidence once mission was accomplished.

            2. Halfmad

              Hate to point this out but DPA 1998 was replaced by DPA 2018 + GDPR. We still have a DPA though..

        2. Kientha

          They could use a defence along the lines of "it wasn't me someone else sent me the screen grabs" and unless they could prove beyond reasonable doubt that wasn't the case... But I agree with your interpretation of the CMA. Doesn't matter how you accessed it, if you didn't have permission or a reasonable belief of permission and changed data that's the third tier.

        3. Spazturtle Silver badge

          "I think the way they define "unauthorised" is if you knew you shouldn't have access - otherwise there wouldn't be computer misuse as all exploitation of a security bug could be defended by "but the computer let me do it". "

          It depends of the finer technicalities, for example:

          Connecting to an unsecured wifi network and using it for internet access is OK.

          This is because your device asked the AP for permission and the AP responded giving permission. So as you asked for permission and got it you are in the clear. Open wifi networks still have authentication, it's just that the routers policy is to grant access to anyone who asks for it.

          Figuring out that an SQL server is listening on an open port and sending SQL queries to it is NOT OK.

          Because there was no authentication process at all, so you didn't have permission and it is therefore a crime.

          1. ibmalone

            It depends of the finer technicalities, for example:

            Connecting to an unsecured wifi network and using it for internet access is OK.

            This is because your device asked the AP for permission and the AP responded giving permission. So as you asked for permission and got it you are in the clear. Open wifi networks still have authentication, it's just that the routers policy is to grant access to anyone who asks for it.

            Figuring out that an SQL server is listening on an open port and sending SQL queries to it is NOT OK.

            Because there was no authentication process at all, so you didn't have permission and it is therefore a crime.

            I'd better put on my 'not a lawyer' hat first, but I think this misses something, because it would make any social engineering attack exempt. The word the CMA repeatedly uses is "unauthorised", "authorised" appears a couple of times. Interpreting a computer's automatic response as granting authorisation is probably wrong, interpretation notes in 17.8 : "An act done in relation to a computer is unauthorised if the person doing the act (or causing it to be done)—

            (a)is not himself a person who has responsibility for the computer and is entitled to determine whether the act may be done; and

            (b)does not have consent to the act from any such person.""

            Authorisation comes from a person, we might use the same words for processes a computer carries out, but they're not the same. An open wifi is authorised to connect to because its owner has chosen to make it open. If it's been left open by accident there might be an argument for that being unauthorised access. And this is where I'm really not a lawyer, how much is thinking you had been authorised a reasonable defence? And implausibly claiming you thought you were authorised when you weren't, such as stealing a neighbour's wifi may not go down well. However prosecutions under CMA are rare, so I don't really see the police getting involved in that one (inconvenience a company on the FTSE and the story might be different).

            Ihttp://usir.salford.ac.uk/15815/7/MacEwan_Crim_LR.pdf makes interesting reading (and serves as a reminder that lawyers aren't always in agreement about interpretation, see for example the section on DPP v Bignell)

            1. ibmalone

              Too late to fix link, and doubt anyone here really needs help, but for completeness: http://usir.salford.ac.uk/15815/7/MacEwan_Crim_LR.pdf commentary on CMA and recent amendments.

            2. Hans 1
              FAIL

              17.8 : "An act done in relation to a computer is unauthorised if the person doing the act (or causing it to be done)—

              (a)is not himself a person who has responsibility for the computer and is entitled to determine whether the act may be done; and

              (b)does not have consent to the act from any such person.""

              By that definition, using the Internet is illegal, unless you request permission from each and every site you wish to visit ...

              1. ibmalone

                (b)does not have consent to the act from any such person.""

                By that definition, using the Internet is illegal, unless you request permission from each and every site you wish to visit ...

                Well, don't look at me, I didn't write the law (and it is a direct quote). However, connect a computer up to the internet, make it openly accessible, and authorisation for public use is implied (it's clear from your actions that this is what you intended), so no, you don't need to request permission individually, see arguments about deep linking, which don't get people prosecuted under CMA. Accessing a website is no more unauthorised access than taking a free newspaper from a stand is theft. On the other hand, break into a delivery van carrying those same 'free newspapers' to take them and it is theft (or possibly robbery, depending on circumstances).

              2. Spazturtle Silver badge

                "By that definition, using the Internet is illegal, unless you request permission from each and every site you wish to visit ..."

                https://www.theregister.co.uk/2018/04/18/nova_scotia_teenager_hacking_allegation/

          2. Hans 1
            Facepalm

            Figuring out that an SQL server is listening on an open port and sending SQL queries to it is NOT OK.

            Bullshit!

            1. Port scanning is not a crime if the port is open to the world! Shit, reminds me of my youth, sk8 is not a crime! Now, if no password is required, you're good to go - i.e. webserver. Trying to force your way through is a crime, though.

            2. You need to authenticate for SQL server to process your queries!

        4. Anonymous Coward
          Anonymous Coward

          no wonder they're not making headway in Scotland

          If they equate spending 6 months in Scotland with a large fine or prison sentence

    2. steviebuk Silver badge

      Doubt it. You can argue that you thought it was a "feature" or "it appeared to be a massive security hole but I wasn't sure so I tried to edit their profile & sure enough I was able to. Yes I took an image of the change as evidence it was an issue. I then reported it and stopped using it. Why did I make a change, take an image and post it on Twitter? Because too many companies deny these bugs exist so I needed proof. Just look at the TV licencing issue recently? That secuirty hole was pointed out to them with evidence yet they publically denied it was an issue.

  3. Anonymous Coward
    Anonymous Coward

    Well, it certainly looks like one of the better conference apps I've ever seen - the malicious edits you make to profiles actually save when you want them to!

    1. Dr Dan Holdsworth

      The solution of the true BOFH in this situation would be to keep track of which devices attempted to edit the data, and once each device has tried to save the changes, to present JUST that device with the edited data and keep the data unedited for everyone else.

      This permits the would-be hacker to think that they have made an unauthorised edit, go onto Twitter and crow about it, and end up looking like a complete twerp when nobody else can see their edit. Since most of these script kiddies are doing this as a form of social display, contriving to let them make themselves look like idiots in public is a fairly sweet revenge.

      1. PickledAardvark

        "The solution of the true BOFH in this situation would be to keep track of which devices attempted to edit the data, and once each device has tried to save the changes, to present JUST that device with the edited data and keep the data unedited for everyone else."

        This solution requires various factors which may or may not work:

        * The OS of a mobile device doesn't change the exposed MAC address.

        * Nobody uses more than one device.

        * Mobile devices have fixed IP addresses.

        * Tokens assigned to a device/app which cannot be copied.

        Tokens seem promising but Facebook's recent embarrassments suggest that tokens are difficult to implement.

    2. Anonymous Coward
      Anonymous Coward

      Well, it certainly looks like one of the better conference apps I've ever seen

      True, I've yet to see one that runs without crashing, disconnecting me, or just plain giving wrong info.

      I can only assume that since these apps are only required for a week at most, the companies who sell them give the job to the latest trainee/summer student on the basis that any old crap will probably do.

  4. Elmer Phud
    Facepalm

    Problems?

    This sounds like a standard gobermint IT project as wot has been seen over the years.

    SNAFU - in which respect I expect it to be announced as a resounding success and a huge benefit to those who use it etc.etc.

  5. Anonymous Coward
    Anonymous Coward

    "Everything blamed on the firm they bought the app from."

    They do that a lot.

    1. Alister

      Re: "Everything blamed on the firm they bought the app from."

      And rightly so!

      I'm no supporter of the Conservatives, but I'm pretty sure they didn't go to the developer:

      "Oh, and please make sure our app includes loads of bugs, and is more full of security holes than Adobe Flash"

      It's fun to blame the party, but it's the company who sold them the app whose fault it is.

      1. Dan 55 Silver badge

        Re: "Everything blamed on the firm they bought the app from."

        Under GDPR, the conservative party is the data controller. They can't wash their hands of it however they might have had a contract with the developer (data processor) which passes all GDPR fines onto it, if the developer were willing to agree to that.

      2. Anonymous Coward
        Anonymous Coward

        Re: "Everything blamed on the firm they bought the app from."

        I'm sure they didn't ask for bugs. More likely the conversation went down as ' We need an app' - 'Oh, my pal Twinky Buffington-Posh, you know from Eton, rides with the hunt, pa's some city big wig, he does appy thingies' - 'Good-oh'.

        And what's the betting the actual app developer said 'Here it is, you really ought to take a little while and review it's security settings' and the party said 'Yeah, yeah, we know, I'll get the intern on it right away. Now who's coming to the wine bar for some champers?'

        Good luck when your firm lets personal data out, claiming 'Wasn't me guv, must have been the dodgy software wot I bought'

        1. Robert Helpmann??
          Childcatcher

          Re: "Everything blamed on the firm they bought the app from."

          And what's the betting the actual app developer said 'Here it is, you really ought to take a little while and review it's security settings'

          You were doing fine until you got to this point. Never in the history of ever did an app developer encourage anyone to look at security settings.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Everything blamed on the firm they bought the app from."

            Yes guilty as charged. I obviously misheard that conversation - it actually went This app thingy - excellent work, but the minister says it's all a bit complicated, do we need all this password gubbins?

          2. Anonymous Coward
            Anonymous Coward

            Re: "Everything blamed on the firm they bought the app from."

            "Never in the history of ever did an app developer encourage anyone to look at security settings."

            While I am mildly sympathetic to your view I have to point out that this is not true of the BlackBerry apps for Android.

            1. Robert Helpmann??
              Childcatcher

              Re: "Everything blamed on the firm they bought the app from."

              While I am mildly sympathetic to your view I have to point out that this is not true of the BlackBerry apps for Android.

              I appreciate the point, and while there may be a few similar out there, they are truly few and far between. They should be looked at as the exception proving the rule.

          3. Anonymous Coward
            Anonymous Coward

            Re: "Everything blamed on the firm they bought the app from."

            Facebook never stop asking me to look at mine since I locked down my profile

        2. DavCrav

          Re: "Everything blamed on the firm they bought the app from."

          "And what's the betting the actual app developer said 'Here it is, you really ought to take a little while and review it's security settings'"

          Who ships an app with 'no security at all, just anyone can alter anything' as a possible setting? Well, these guys, for one.

          1. Doctor Syntax Silver badge

            Re: "Everything blamed on the firm they bought the app from."

            "Who ships an app with 'no security at all, just anyone can alter anything' as a possible setting?"

            Innumerable IoT vendors?

      3. Teiwaz

        Re: "Everything blamed on the firm they bought the app from."

        Well, they got what they paid for in all likelihood.

        If their purchase strategy is anything like other recent Government contracts.

        Spend a penny get piss.

    2. Anonymous Coward
      Anonymous Coward

      Re: "Everything blamed on the firm they bought the app from."

      > They do that a lot.

      We took out a membership to something called the EU a long time ago and it turned out to be nothing like how it was described...

  6. Herring`

    Well, Mrs. May and other prominent Conservatives have been critical of systems that allow strong encryption. I guess they are leading by example here by having all their information public.

  7. Brewster's Angle Grinder Silver badge

    This is the party that's promising to solve the Northern Irish border with "technology".

    1. James 51
      Paris Hilton

      Let's not forget the necessary #tags.

    2. Anonymous Coward
      Anonymous Coward

      "This is the party that's promising to solve the Northern Irish border with "technology"."

      Could you try to pronounce the last word with an Ulster Protestant accent so it sounds like a really dodgy scheme possibly involving a lot of brown envelopes?

    3. Spazturtle Silver badge

      Good thing the Northern Ireland border isn't the UK's problem. The UK won't be putting up border checkpoints as we don't care about goods from Ireland coming into the UK. And if Ireland puts up checkpoints then they will be in violation of the Good Friday agreement. The Northern Ireland border issue is entirely the EU's to solve.

      1. 8Ace

        Hmmm .. except that if the UK leaves without a deal and don't put up checks on the Irish border they will be in breach of WTO rules by giving preferential access to UK markets via Ireland. Cue WTO sanctions !

      2. ibmalone

        Good thing the Northern Ireland border isn't the UK's problem. The UK won't be putting up border checkpoints as we don't care about goods from Ireland coming into the UK. And if Ireland puts up checkpoints then they will be in violation of the Good Friday agreement. The Northern Ireland border issue is entirely the EU's to solve.

        I'm sure this "stop hitting yourself" logic seems perfectly reasonable down the pub, but one of the reasons were are told we are leaving the EU (oddly I don't remember reasons being recorded on the ballot, so for 'reason' read 'fever-dreams of the monocle-fanciers at the ERG that they are claiming legitimacy for') is to "take back control of our borders". The border of the UK and Ireland is a border with the EU single market. 'We' (again, the Etonian 18th century re-enactment society) don't want to be in the single market, so "taking back control" means creating checks on that border, in a situation we (sadly without quotes) created. The EU is not a party to the Good Friday Agreement, Ireland and the United Kingdom are. Leaving the EU with no deal and knowingly creating a situation in which both we (WTO rules remember) and Ireland would have to introduce border checkpoints could only be construed as Ireland breaking the deal in the most twisted logic.

        Of course, we could leave the EU and remain in the EEA, completely in line with the Big Opinion Poll. The alternatives: persuade Ireland to jump off the cliff with us (to fix our blunder, good luck with that) or start the break up of the United Kingdom. Interesting that a coalition of Conservatives and Irish Unionists would be the ones kicking it off, but a quick look at the current secretary of state for Northern Ireland should tell you all you need to know about how much the modern conservative party cares.

  8. Crisp

    A "limited number of delegates" were hit.

    I suppose "all of them" counts as a limited number.

    1. Pascal Monett Silver badge

      Well yes, since at most they could only be some 7 billion delegates.

      7 billion is a limited number. A big one, but still limited.

  9. SVV

    You can trust us with all your personal data

    More info has been reported on this app flap : apparently it was an off the shelf configure it yourself thing, so they've proven that doing things on the cheap is bad for security yet again. Guessing here that some clueless intern who knows how to use an app did the configuration badly. And that nobody was hired to check it over for security.

    Johnson's profile picture was changed to some hardcore pornography, meaning that the conservative party may have made porn available without suitable age check controls. He is also reported to have tweeted a photo of himself jogging through a field of wheat in order to troll the prime minister, so all in all it's a complete embarrassment already by halfway through the Monday for the party.

    1. tiggity Silver badge

      Re: You can trust us with all your personal data

      Its what you get when you have had enough of experts.

    2. Ken Moorhouse Silver badge

      Re: off the shelf configure it yourself thing

      The technology solution for the Ireland/Northern Ireland border will no doubt involve downloading something from Sourceforge. Unfortunately at the moment when you type in "Brexit" there are zero programs.

      Hmm, I did a program a long time ago that printed out "Hello World", which strikes me as quite appropriate.

    3. Teiwaz

      Re: You can trust us with all your personal data

      a photo of himself jogging through a field of wheat

      In what must be without doubt the most tasteful/tasteless (delete as appropriate) Timotei ad remake ever.

      What's next, him gambolling down a grassy hillside a la 'Little House on the Prairie'?

  10. Kaltern

    Nothing a General Election can't sort out.

    (who am I kidding...)

  11. Kientha

    It's not a flaw! It's a feature!

    If you look at the website of the people who they bought the app from, you'll notice that passwords are an extra £399 for all but the top tier. I'm betting they either didn't purchase passwords or didn't enable them. The fact the app is available without passwords is utterly insane but not surprising.

  12. MaltaMaggot

    I'm struggling...

    ... to comprehend all this.

    I mean I've read it and I understand the words. And the order they're in. And the sentences they form and the meanings derived thereafter...

    Then I've read it again.

    Whichever way you voted on that awful referendum, it's these utter imbeciles in charge come March, and frankly they shouldn't be left in charge of putting their own shoes on...

    (disclaimer: I'm not suggesting anyone else is competent enough either, and I'm an expat with a detached perspective, and issues of competence when it comes to driving in flip-flops)

    1. MJI Silver badge

      Re: I'm struggling...

      My God aren't they useless, what are the others like?

      ...............................

      Oh dear, we are screwed.

  13. Anonymous Coward
    Anonymous Coward

    Security ignorance?

    There are only a few details about the problem, but it does seem that once you had 'signed up' to the conference app you could 'log back in' by just entering your email address (if it is true). I don't know how prominent any instructions were but it is a massive condemnation of everyone who used the app if they were not immediately struck by the implications of this. Of course some people were, and thought they might have a laugh about it.

    Can't someone in Government or the Civil Service please write some simple guidance about what a proper security system should look like? Just the system for a basic access app, not access to the Bank of England or something serious*.

    And it was NOT a trivial mistake. Apparently, when you had access you could send messages. How about Mr X messaging Mrs Y that "this is a good link... you will need to sign up though", where the link goes to some dodgy website.

    *HINT: how strong is the password? How many failed attempts before locked out? For how long? Can they tell you what your password is if you have forgotten it?

    1. Dave559 Silver badge

      Re: Security ignorance?

      They don't really need to write any new guidance, there are only two things that they need to do:

      1. Ask their potential developers verbally (and with the expectation of an immediate answer, without the help of a search engine) if they know what OWASP is?

      2. Go to https://www.owasp.org/ and read and digest the information therein themselves, so that they can ask their potential developers, those who passed the first question, suitable further followup questions, put them into the project spec, and test rigorously afterwards.

      1. Michael H.F. Wilkinson Silver badge

        Re: Security ignorance?

        I think the quote

        "deploy a massive block-chain spanning the 499km Irish border."

        shows exactly how much the Tories understand about "technology"

  14. Anonymous Coward
    Anonymous Coward

    Are those wood burning drones?

    Surely they could have hired some Paddies to dig trenches for the blockchains, boost the local economy and reinforce their place in the Empire?

  15. BebopWeBop
    Pint

    The 'hackers' did an inspired job with that Mad Nad (aka Nadine Dorris) 'comment'. I hope it gets a wider and publicly appreciative audience than just the Reg (town between a thumbs up and a pint - decided the pint was deserved)

  16. Crisp

    These are the same people that have all your Internet Connection Records

    But I'm sure they're safe.

  17. chronicdashedgehog

    I'm surprised they needed an app given that the party has so few members. Hand written invites and an A4 list of names would have sufficed

  18. Doctor Syntax Silver badge

    ....The end of the page also states: "Comments, Webshells and shellcode are welcome."

    Despite the issue being widely pointed out on social media, her team is either unaware or unable to fix the problem.

    Why would they? They probably think it makes them look really knowledgeable. Sort of like hashtags.

  19. Doctor Syntax Silver badge

    Remind me again...why are email addresses supposed to be good IDs for access to anything other than the email account and maybe not even for that?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like