The UK Conservative Party's annual conference is about to kick off in Birmingham, and the Tories have distributed an app ahead of time to all attendees: senior ministers, government officials, members of the press, party members, and others.
The app has a fatal design-flaw: anyone could login as any attendee, provided that you knew that person's email address. As Guardian columnist and Jacobin writer Dawn Foster explained in a tweet, you could effect this login "just with their email address, no emailed security links, and post comments as them."
Once logged in, you could see the user's private mobile phone number, change that person's profile, and, as noted, post comments under their name (the app has been updated to close the vulnerability).
Twitter users are speculating about which UK data-protection laws this violates and what sort of penalties the party may face as a result of the breach.
More trenchantly, this undermines the Conservatives' signature technological promises, including its insistence that a post-Brexit Irish border can be solved with technology, and the plans to make EU citizens register their presence in the UK with an app.
FFS, the Tory conference app allows you to login as other people and view their contact details just with their email address, no emailed security links, and post comments as them.— Dawn Foster (@DawnHFoster) September 29, 2018