Industry News

Vivino wine-lovers’ app leaked personal information

Vivino, a popular smartphone app, that allows wine-lovers to scan their favourite bottles of plonk and share recommendations with their friends, has left a sour taste in the mouth – after a security researcher found a privacy vulnerability.

vivino-app

Randy Westergren, a software developer with a long history of finding privacy holes in other people’s programs, discovered a privacy issue in how the Vivino app communicated with its server.

By just sending a simple API call containing a userid, Westergren discovered that Vivino’s website can spit out some interesting personal information, including a user’s full name, alias, email address, and home.

vivino-api

And, you guessed it, Westergren deduced that simply changing the userid would cause Vivino’s servers to share information about other users.

He wrote a proof-of-concept Python script to see if this theory was true, and found it almost instantly started to serve up other users’ personal information.

python

Fortunately, Westergren believes in responsible disclosure – and reached out to the developers of the Vivino app to get the bug fixed.

My experience with Vivino was exemplary. Their team responded immediately, kept me updated, and most importantly, quickly released a patch. They even upgraded me for a free year of their premium product in appreciation.

You see folks – responsible disclosure *can* pay. You don’t need to go public with your vulnerability. At least try to work with a software developer to get a bug fixed, rather than attempting to get your (dubious) 15 minutes of glory irresponsibly telling potential criminals how to exploit insecure code.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.