An embarrassing blunder has been discovered with Westfield’s ‘Find My Car’ feature announced in July, that allowed anyone to access images taken using its ParkAssist technology using a public API.
The issue, discovered by software architect and Microsoft MVP Troy Hunt, revolves around the application programming interface (API) that Westfield was using to power the license plate search for its Bondi complex, provided by ParkAssist.
The API gave Westfield the ability to provide a new feature in its iPhone application — downloaded more than 83,000 times — that allowed visitors to its Bondi complex find their car in the car park by simply typing in their license plate.
However as Hunt discovered using tools such as Fiddler, the API for the service wasn’t protected at all, potentially allowing anyone access to information provided by the service outside of the iPhone app.
“What this means is that anyone with some rudimentary programming knowledge can track the comings and goings of every single vehicle in one of the country’s busiest shopping centres,” Hunt wrote in a lengthy post detailing the vulnerability.
“Whilst I’m by no means a strong privacy advocate, something about this just doesn’t sit quite right with me.”
Images of the cars weren’t the only information available through the API — according to Hunt, it was also possible to gain access to the license plate in text and the time of arrival of a car in a parking space, or even the entire carpark.
Westfield said in a statement this afternoon that it had only been made aware of the authentication issue by provider ParkAssist this morning, and that it was working on a solution with the company, in the meantime disabling the car finding functionality.
“This issue has been addressed immediately by Park Assist and the Find My Car functionality will be not be available for approximately one week until the app has been modified to ensure that data cannot be publicly assessable online,” a spokesperson for the company said.
On the more broader topic of privacy concerns raised by the car finding functionality, Westfield says it doesn’t believe the app contravenes Australian privacy laws, with license plates not considered “personal information” under the act.
“The application theoretically could be used for purposes other than its original intention, however it does not facilitate any activity that couldn’t already happen otherwise,” the spokesperson said, before mentioning in extreme cases police may request access to the application to “assist in their enquiries”.
Westfield said it plans to introduce the Find My Car tool into “future” complexes in Australia, with visitors to existing Australian complexes able to mark their parking spots manually.
Image Credit: Westfield