Running an Aussie uni club or society can be a logistical nightmare and that’s where apps like Get come in handy for keeping track of members and their deets. Now that’s a lot of personal info stored in one place and it would be awful if it were hacked or if a vulnerability was discovered.
Well that’s exactly what happened.
A Reddit user posted on the UNSW subreddit and revealed that they were able to get unauthorised access to the personal info – name, email, DOBs, Facebook IDs and phone numbers – of Get’s users using the app’s search function API.
Worryingly, the user said they were access the data without using any tokens (used to provide legitimate access to the app) meaning anyone could get their hands on the data.
All in all, an estimated 50,000 Aussie uni students may have had their data exposed due to this vulnerability, which represents about one-third of the platform’s 159k user base. Yikes.
The Guardian reports that the Reddit user tried to reach out to Get “around six times” over the weekend they discovered the app’s security flaw but were met with a “non-response.”
While Get hasn’t reached out to the Reddit user, it has posted an update on its website stating that changes were made to prevent unauthorised access to the service and it is investigating the reported security flaws. Get has also said it’s been in contact with any affected Aussie uni clubs and societies that may have been impacted by the vulnerability.
This security flaw isn’t the first time Get has found itself in hot water due to issues related to data breaches and the like.
Back in 2018 – when Get was originally known as Qnect – members of Aussie uni societies and clubs using the service were reportedly threatened with the release of their personal info by a hacking group unless the company paid them a ransom in Bitcoin.
Get states that its platform is safe to use after addressing the discovered vulnerability. Having said that, best start proofing your personal info just to be doubly sure or you might find yourself at the pointy end of an extortion attempt from some dudes who have a hankering for Bitcoin.