[LINK] Westfield Find my Car app privacy failure
Alex (Maxious) Sadleir
maxious at gmail.com
Wed Sep 14 11:52:44 AEST 2011
> This is a fair bit of data. Actually it’s a lot of data and it’s being sent down to your phone every time you try to locate a car. Remember, all the app needs to do is show us an image of what may be our car. But the really worrying bit is what’s inside the “visit” node; Westfield is storing and making publicly accessible the time of entry and the number plate (see the “text” field) of what appears to be every single vehicle in the centre. What’s more, it’s available as a nice little service easily consumable by anyone with the knowhow to build some basic software.
> But this is only four results, right? Actually, it’s worse than that. A lot worse. That URL for the service endpoint we looked at earlier contains a number of parameters – filters, if you like – and removing these readily provides the current status of all 2,550 sensors. This includes the number plate of any car currently occupying a space and as you can see, it’s available by design to anyone:
> You can freely request that resource over and over as many times as desired and then store the data to your heart’s content. Now that, is a privacy concern.
The service has been shut off completely while the contractor licks
their wounds. Apparently the lack of authentication allowed the
internet at large to use the find my car API to reconfigure the car
park management system remotely including the LED signs.
More information about the Link