1. The API should never have been made accessible publicly. The regular authentication that protects API access was incorrectly disabled. We have corrected the configuration and the services are now protected again.
2. The code snippet should never been placed on pastie. We were sloppy in that regard.
While the information in the API is mostly used to get counts of how many spaces in the car park are currently occupied (which you can find out by going to the site and reading the digital signage), any unauthorized access to the data is an unacceptable breach.
We acknowledge that these mistakes should never have occurred and we will need to take a hard look into our security procedures to ensure this does not happen again.
If anyone would like to discuss this issue further, we welcome your comments and advice.
"My name is John Batistich and I am the General Manager Marketing for Westfield. Firstly, thanks Troy for bringing this issue to our attention. Our intention was to create a free service for our customers so they never lose their car again! However, we have more work to do. Our partner, Park Assist, who provide the camera technology to capture the number plate today advised there was an issue with the authentication of their data feed to the iPhone which resulted in number plate data being publicly assessable via the internet. This issue has been addressed immediately by Park Assist and the Find My Car functionality will not be available for approximately one week until the app has been modified to ensure that data cannot be publicly assessable online. Further, the ‘Find my Car’ functionality on our app is similar to other location-based services and has been developed to provide a service to the average shopper, in an effort to make it easier to find their car. In terms of privacy, the application does not contravene the Privacy Act in so far as numbers plates are not “personal information”, and are therefore not subject to that act. Having said that, the application theoretically could be used for purposes other than its original intention, however it does not facilitate any activity that couldn’t already happen otherwise. For example, a member of the general public may try to use the application to find a car that is not theirs. On the other hand, at the request of police, the application might also be used to assist in their enquiries into a given situation however, Westfield would not expect either of these situations to be typical.We appreciate you bringing this issue to our attention and we are now working on an update to resolve the technical issue. "
We cannot thank you enough for notifying us.
Here's what happened:
1. The API should never have been made accessible publicly. The regular authentication that protects API access was incorrectly disabled. We have corrected the configuration and the services are now protected again.
2. The code snippet should never been placed on pastie. We were sloppy in that regard.
While the information in the API is mostly used to get counts of how many spaces in the car park are currently occupied (which you can find out by going to the site and reading the digital signage), any unauthorized access to the data is an unacceptable breach.
We acknowledge that these mistakes should never have occurred and we will need to take a hard look into our security procedures to ensure this does not happen again.
If anyone would like to discuss this issue further, we welcome your comments and advice.
Thanks once again. Ian