In a classic case of pot calling the kettle black, Congress was found leaking users’ personal data just when Rahul Gandhi took a dig at NaMo app for sharing data.
Earlier this week, a security researcher who goes by the name Elliot Alderson disclosed that the NaMo app was sharing personal user data with a third party domain belonging to a US-based company.
When you create a profile in the official @narendramodi #Android app, all your device info (OS, network type, Carrier …) and personal data (email, photo, gender, name, …) are send without your consent to a third-party domain called https://t.co/N3zA3QeNZO. pic.twitter.com/Vey3OP6hcf
— Elliot Alderson (@fs0c131y) March 23, 2018
The hacker revealed that when a profile is created on the NaMo Android app, all device information (like the OS, network type and carrier) as well as personal data (like name, email and photo) are sent to a third party domain – in.wzrkt.com, without authorization.
He went on to reveal that the domain belongs to CleverTap, a leading mobile marketing platform.
Shortly after the disclosure, the NaMo app team stated that CleverTap offers them analytical solutions and that the data is used for re-marketing. The team also testified that the data is not used by CleverTap for any other app.
While there is no problem with using a third party company for analytics solutions, sharing personal data without prior authorization from the user does violate privacy laws.
Throwing light on the legitimacy of data sharing allegations, Altnews found that upon registering on the NaMo app, personal data including the name, email id, service provider, etcetera, was being shared with the third party website.
Congress takes a dig, gets served instead
Not losing an opportunity to point out the privacy gaffe, Rahul Gandhi tweeted last morning: "Hi! My name is Narendra Modi. I am India's Prime Minister. When you sign up for my official app, I give all your data to my friends in American companies."
The IP address of https://t.co/t1pidQUmtq is 18.104.22.168. This server is located in Singapore. As you are an #Indian political party, having your server in #India is probably a good idea. pic.twitter.com/tbspCtOPfB
— Elliot Alderson (@fs0c131y) March 26, 2018
Call it poetic justice or a bad case of karma, Alderson pointed out that the Congress-owned web address membership.inc.in used the less-secure HTTP protocol instead of HTTPS. Additionally, he also revealed that the IP address for the website indicated its server being located in Singapore.
Soon after, the INC deleted the app from Play Store and its head of social media, Divya Spandana confirmed to TOI that Congress had indeed pulled down the app as people were being led to the older, less-secure membership site.