After a software developer found glaring security gaps in a CDU app for the doorstep election campaign, not only was the app taken offline, but two other applications from other parties. Those responsible for the CDU application called Connect had admitted on Twitter on Wednesday that they had been made aware of the loophole by Lilith Wittmann. It had become necessary to “take the app off the server as a precaution”. Wittmann then discovered that an identical app was also being used by the CSU and the People’s Party that ruled Austria. Both were only taken offline afterwards.
Thousands of records unprotected
How among other things, the mirror reports, the “CDU connect app” – and thus also the other two – are applications for party campaigners. They should use it to record where they already rang the bell during the election campaign and what they discussed there. Accordingly, gamification elements are also included, which are intended to increase motivation when flicking the front doors. Wittmann is loud a detailed blog entry attention was drawn to the application on Tuesday and gaps were quickly found. Those responsible for the app had previously assured on Twitter that it would not collect any personal data.
Because the app did not use common security measures such as certificate spinning, Wittmann was able to view a lot of data on the associated server. This included over 18,000 data records on election campaigners who used the app, as well as over 1,300 data records on recorded supporters. Although there was no personal data on the people visited at the front door, the anonymized data and the visible content of the conversation made it possible to infer some of them with certainty. Wittmann then reportedly informed the CERT Association and Berlin’s data protection officer.
On Wednesday, the apps for Android and iOS were then taken offline and those responsible have those affected by election campaigners informed about the security vulnerability. Although it has been open for years, it is assumed that no one except Wittmann had access. Meanwhile, the developer researched the app’s development company and noticed that it was also used by the CSU and Austria’s People’s Party. But it was not taken offline at the same time, criticized Wittmann with clear words. That only happened this Thursday.