One Planet York: 'Ethical hacker' exposed council app flaw

BBC mock up of screenshot of the app

The One Planet York app allowed users to check bin collection dates and recycling advice.

A council is seeking to reassure residents that a flaw in a council app allowing personal data to be breached was discovered by an "ethical hacker".

A developer for a Leeds-based digital agency found phone numbers, addresses and encrypted passwords of One Planet York users could be found on the app.

City of York Council initially warned 5,994 accounts contained in the app could have been breached.

It has since called the hack "well-intended" and thanked the developer.

Rapidspike, a digital monitoring platform, said one of its developers "browsed to a page within the app, as any user would" and was able to access a list of ten users with personal information visible.

The developer "did not do anything to exploit the vulnerability" of the app, which allowed users to check bin collection dates and recycling advice, and immediately informed the council, the company said.

City of York Council contacted North Yorkshire Police and the Information Commissioner's Office after the data breach was reported.

The One Planet York app is no longer available to download

The One Planet York app has since been removed from app stores and the council's website, and the authority has urged remaining users to delete it from their devices.

On Monday, the council tweeted: "Despite attempts to contact [the hacker], they did not respond and as a result of what appears to be a deliberate and unauthorised access we informed the police".

More stories from around Yorkshire

The local authority, which has since revised its stance, said: "Following further review it has become clear that the person who identified the issue with the app had tried to contact us but their email had not been received due to security settings.

"Whilst we consider we took appropriate measures based upon the facts at the time, we can now confirm that this was a well-intended action by the individual concerned and we would like to thank them for raising this matter."

This Twitter post cannot be displayed in your browser. Please enable Javascript or try a different browser.View original content on Twitter
The BBC is not responsible for the content of external sites.
Skip twitter post by N Yorks DIIU

Allow Twitter content?

This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read Twitter’s cookie policy and privacy policy before accepting. To view this content choose ‘accept and continue’.

The BBC is not responsible for the content of external sites.

An ethical hacker, also known as a 'white hat' hacker, is someone who looks for data vulnerabilities in the public interest, rather than for malicious or criminal purposes.

North Yorkshire Police's digital investigation and intelligence unit said the developer had "acted correctly".

More on this story

Related internet links

The BBC is not responsible for the content of external sites.