Not long ago the Vox website was hacked thereby uncovering the personal data of many people related to the party and now we have to echo again the discovery of sensitive and private information: that belonging to the users of the Valencia Metro app.
An API bug: the app hole
A security hole in the official subway app and tram of Valencia has been the exit door of personal information of almost 60.000 users -it is said soon. The failure has been discovered by an engineer who has not hesitated to denounce the situation in court, accusing the FGV (Ferrocarrils de la Generalitat Valenciana) and Proconsi (the company that developed the app) of violating the right to data protection of a personal nature.
As collected by the medium ValenciaSquare, the complaint is accompanied by a study and explanation of the failure "point by point" which would be an error in the API of the application. Likewise, a letter has been sent to the Spanish Data Protection Agency (AEPD).
The data revealed is very varied and includes everything from email, gender, or the number of times a person has traveled on the subway to their full name, ID number, date of birth, postal address, and telephone number.
The deprotection of the API (it does not require any type of authentication) allows anyone to be able to make a request to server no major problem. The engineer has demonstrated to the aforementioned Valencian outlet that the data of all registered users can be accessed in a relatively simple way. It is suspected that it would also be quite easy to obtain the Credit card number of the travelers (since that record also exists and it is possible to see the Expiry dates and the bank to which they belong), but the engineer has not tried to do so "so as not to commit a crime".
The engineer, who prefers to remain anonymous, has criticized that this is nothing more than the result of entrusting the creation of an app to people who is not qualified for it:
Authentication is a prerequisite for everything of public access that handles private information and in this case it has been decided not to implement any type of authentication without thinking about the consequences. […] has not been developed by qualified professionals.
To demonstrate the seriousness of the matter, the engineer in his report selects a person at random, from whom details all his movements. Thus, it can be seen that there is a user of the Valencia Metro who lives in La Ribera, takes the metro at the same time every day and travels with him to the center of Valencia, where his work is located -his email allows us to reveal also that data. In the afternoon, he returns to his town taking the metro from the Plaza de España stop.
The public company Ferrocarrils de la Generalitat Valenciana says have no record of this ruling or that there is any complaint. The only thing that recognizes that there was a bug in the month of March, when the application was launched, but that it has already been fixed.
In case you use the Valencia Metro and have the application, riding a The Confidential collect the recommendations of the engineer, who strongly advises that uninstall and delete all data related to the app until this security hole is officially recognized and a solution is given.