Westfield Australia ‘Find My Car’ privacy blunder uncovered


Find My Car in Westfield's iPhone app

An embarrassing blunder has been discovered with Westfield’s ‘Find My Car’ feature announced in July, that allowed anyone to access images taken using its ParkAssist technology using a public API.

The issue, discovered by software architect and Microsoft MVP Troy Hunt, revolves around the application programming interface (API) that Westfield was using to power the license plate search for its Bondi complex, provided by ParkAssist.

The API gave Westfield the ability to provide a new feature in its iPhone application — downloaded more than 83,000 times — that allowed visitors to its Bondi complex find their car in the car park by simply typing in their license plate.

However as Hunt discovered using tools such as Fiddler, the API for the service wasn’t protected at all, potentially allowing anyone access to information provided by the service outside of the iPhone app.

“What this means is that anyone with some rudimentary programming knowledge can track the comings and goings of every single vehicle in one of the country’s busiest shopping centres,” Hunt wrote in a lengthy post detailing the vulnerability.

“Whilst I’m by no means a strong privacy advocate, something about this just doesn’t sit quite right with me.”

Images of the cars weren’t the only information available through the API — according to Hunt, it was also possible to gain access to the license plate in text and the time of arrival of a car in a parking space, or even the entire carpark.

Westfield said in a statement this afternoon that it had only been made aware of the authentication issue by provider ParkAssist this morning, and that it was working on a solution with the company, in the meantime disabling the car finding functionality.

“This issue has been addressed immediately by Park Assist and the Find My Car functionality will be not be available for approximately one week until the app has been modified to ensure that data cannot be publicly assessable online,” a spokesperson for the company said.

On the more broader topic of privacy concerns raised by the car finding functionality, Westfield says it doesn’t believe the app contravenes Australian privacy laws, with license plates not considered “personal information” under the act.

“The application theoretically could be used for purposes other than its original intention, however it does not facilitate any activity that couldn’t already happen otherwise,” the spokesperson said, before mentioning in extreme cases police may request access to the application to “assist in their enquiries”.

Westfield said it plans to introduce the Find My Car tool into “future” complexes in Australia, with visitors to existing Australian complexes able to mark their parking spots manually.

Image Credit: Westfield


    • You still can, you just have to use the iPhone app to do it now, instead of your custom built API accessing program.

    • Unfortunately not, since it’s tracking your license plate whether you want it to or not… Of course, you could just not shop at Bondi Westfield (or come by public transport).

      • Well I’m on the Central Coast so won’t be shopping at Bondi anytime soon, and the only time we have any real trouble with parking is during tourist season

  1. I think its a great idea. Although I do agree its not that hard to remember where you parked. That being said it was only a matter of time for something like this to happen.

    Also, grum, you can still stalk your ex, just enter her number plate and see if she is in the shopping center and then wait by the car.

    • after just having returned from malaysia and parking in places such as the KLCC and Gurney plaza and queensbay mall, i would have to agree with you 100%.

      place like that have multi level parking that can only be access from certain escalators or lifts and even then they have things like half levels. it can be a real task to locate your car.

      australian parking lots are a piece of piss.

Comments are closed.