Web app bug exposed details of over half a million Neighbourhood Watch members
The bug has since been patched
Neighbourhood Alert, a messaging app for members in the UK, was leaking sensitive user data to anyone who cared to look, experts have revealed.
In the UK, citizens can form neighborhood watch groups, which have their authorized administrators, and other members. To communicate, members can use different apps, including Neighbourhood Alert which was, according to a report by The Register endorsed by national and regional local authorities, and had more than half a million members.
The app, which was available both via web, and via a mobile app, held plenty of personally identifiable information (PII) on its users, including full names, home and email addresses and, in case users provided, phone numbers and profile images.
Confirming the flaw
The app also allowed platform coordinators to create “schemes” - city subregions - by drawing an area within the map. The scheme can be as large as the coordinator wanted it to be - it was only limited to the region in which they were registered. As soon as the scheme was drawn, the coordinator would be able to see all registered members inside.
The problem here is that anyone could register as a platform coordinator, and anyone could create a scheme. The Register tested this idea, using fake information and a throwaway email address to successfully register, set up a scheme, and obtain sensitive user data practically instantly. The sensitive data obtained this way belonged to all kinds of people, including police officers, MPs, and other high-profile individuals “with a reasonably elevated expectation of privacy.”
The company behind the app is called VISAV, the publication further said. It was notified about the security lapse and responded by plugging the hole and apologizing for the mistake.
Mike Douglas, product director and a data protection officer at VISAV, said: "The anomaly was fixed immediately, and we have voluntarily notified every member to inform them and provide guidance, even the vast majority of members who were not potentially affected by it. We have also reported ourselves to the regulator to support our own intensive investigation and help prevent future risks."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- Discover if your data have been leaked with Proton Mail's new tool
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.