Parking firm pulls app after dev claims: I can SEE credit card privates An automated parking firm has halted public access to its payment app after a blogger identified a serious security flaw which he claimed allowed him to see other users' credit card information. According to Matt Cheetham, an iOS developer based in Bournemouth, the Phone and Pay app was so leaky that he could easily access …
At no point has there been a material security breach and no credit card details have been compromised.
But... isn't that how the guy found out about the problem? So surely there HAS been a material security breach and credit card details HAVE been compromised.
And seriously, what kind of inept company did they use if they left all their logging in the release build? I mean, some logging stays in sure, but nothing on the sensitive data. After this I don't think I'd ever use the app no matter how many 'security updates' they release.
And seriously, what kind of inept company did they use if they left all their logging in the release build? I mean, some logging stays in sure, but nothing on the sensitive data. After this I don't think I'd ever use the app no matter how many 'security updates' they release.
-------
Thats not the problem, logging shouldn't matter one bit.
The problem here is that the communication between client and server is not correctly secured and authorised. The server should enforce security in all cases. The client can do so too, but their issue is server side.
Fair enough, maybe I misread the article. Either way I still stand by the theory that outputting logs with sensitive data to the console should have been removed. Even if it's not a direct security threat with the app itself, it's still a security threat as it gives malware etc something to hook into.
I tend to do mostly stand-alone stuff, so networked security really isn't my strong point (or my weak point, more like my null point)
..... functionality for phone/device payments correct when it comes to parking?
No matter what automated system is in place they are woefully bad, the phone/text ones especially. There is no recourse for anyone affected (especially when they pass the fines to recovery agents when you are still contesting the fine).
And the card details have been breached, a person who is not supposed to be able to see them did.
> And the card details have been breached, a person who is not supposed to be able to see them did.
"Cheetham alleged this allowed him to see other users' credit card details".
Note use of the word 'alleged'. Until proven otherwise the statement by the company has to be taken at face value as they are presumably the ones who would know what was exposed or not.
The fact that he says these were in logs of URLS (i.e. passed in plaintext) is far more significant than the app itself being leaky if true.
Hate that kind of bull-plop PR speak.
"no data was compromised" = "we're sure no one (else) bothered to try this. We really are"
How the hell can they know no (other) data was compromised? They don't. To state that is utter fiction. A guess. At least one guy COULD have had off with as many CC details as he wanted. If no one else did so it's luck, not judgement.
Mental note to continue to avoid such systems.
There seem to be plenty of laws about accessing systems without permission but practically none about sufficiently protecting systems from access without permission.
A horribly prescriptive law updated from time-to-time with latest best security practice which states the technical measures that companies must take to protect websites, app servers, remote data, app clients, and client data is probably the only thing that will get security costs to be considered as non-optional.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
