An app used by dozens of Australian university clubs says it is investigating reports of a major security flaw which potentially exposed the personal data of 50,000 students.
The Guardian reports a Reddit user discovered an alleged weakness in the app Get, which permitted unauthorised users to access full names, “associated emails, phone numbers, date of births, Facebook ID’s, for all the users on their platform.”
The apparent security weakness, discovered late last week, spurred the anonymous user to contact the app’s administrators.
“We became aware of this on Saturday (7th September) and have spent the last 24 hours investigating the claims,” a Get spokesperson wrote Sunday night.
The app said it responded by “tokenising” its API calls – in other words, double-checking users who log in or access Get have the required authorisation to access data.
Folks behind Get also contacted clubs which may have been impacted by the potential breach, and begun investigating whether the data had been scooped earlier, the statement said.
But the Reddit user who uncovered the issue told The Guardian that was a “non-response”, urging Get to inform users which data was released, if any, as a matter of urgency.
Get, formerly Qnect, enables clubs to set up events, create online stores, and provide ticketing services. The website lists positive testimonials from representatives of the UNSW Engineering Society, Medical Society, and Education Society, among others.
The Reddit user said this potential breach is concerning, as “societies sometimes help members with sensitive topics,” adding “name, date of birth and mobile are enough for a wealth of social engineering hacks”.
As Qnect, the company was the target of a separate date breach in 2017, in which the platform was subjected to an attempted extortion attempt. Speaking to News.com.au last year, co-founder Daniel Liang said “the media did blow it up much more than it really was.”
Get yesterday assured users it was safe to use, and that events and e-commerce activities hosted on Get will continue to operate.Source: The Guardian
Image: Ullstein Bild / Getty Images