Vivino, a popular smartphone app, that allows wine-lovers to scan their favourite bottles of plonk and share recommendations with their friends, has left a sour taste in the mouth – after a security researcher found a privacy vulnerability.
Randy Westergren, a software developer with a long history of finding privacy holes in other people’s programs, discovered a privacy issue in how the Vivino app communicated with its server.
By just sending a simple API call containing a userid, Westergren discovered that Vivino’s website can spit out some interesting personal information, including a user’s full name, alias, email address, and home.
And, you guessed it, Westergren deduced that simply changing the userid would cause Vivino’s servers to share information about other users.
He wrote a proof-of-concept Python script to see if this theory was true, and found it almost instantly started to serve up other users’ personal information.
Fortunately, Westergren believes in responsible disclosure – and reached out to the developers of the Vivino app to get the bug fixed.
My experience with Vivino was exemplary. Their team responded immediately, kept me updated, and most importantly, quickly released a patch. They even upgraded me for a free year of their premium product in appreciation.
You see folks – responsible disclosure *can* pay. You don’t need to go public with your vulnerability. At least try to work with a software developer to get a bug fixed, rather than attempting to get your (dubious) 15 minutes of glory irresponsibly telling potential criminals how to exploit insecure code.