Opposition coalition 1Sambayan’s app, 1Sama Ako, for volunteer sign-ups was hit by a data breach over the weekend, the Inquirer reported Monday, June 14.

Lawyer Howard Calleja, one of its convenors spoke on ABS-CBN’s Teleradyo, saying that they learned about the hack on Saturday, June 12, 4:30 pm during their program.

Calleja said they reported the hack to the National Privacy Commission, which requires any entity collecting data to report possible user data breaches within 72 hours after discovering the hack.

Calleja also noted that the hacking was done professionally, and hinted that political opponents may be behind it.

Lawyer Howard Calleja said the coalition learned about the hacking on Saturday while they were conducting a program.

“Nalaman po na kailangan pang pagtibayin dahil gagawin po lahat ng dirty politics ng ating kalaban to maintain in power,” said Calleja as quoted by the Inquirer.

(We found out we have to bolster [app security] because our opponents will resort to dirty politics to [remain] in power.)

On Monday, the 1Sambayan membership committee sent an email to those affected, saying the issue with the app had been patched and the app was undergoing further auditing and testing.

The app will remain offline till the audits and tests are complete and cleared by the 1Sambayan security team.

The email added 3,464 volunteers were registered at the time of the breach.

Weaknesses

Manila Bulletin on Saturday, June 12, reported about the potential security weaknesses of the app.

The Manila Bulletin report cited two cybersecurity professionals who said the application may have been released to the public without a proper security assessment.

Secuna co-founder AJ Dumanhug said the APK, or Android Package Kit, of the app had a vulnerability at its endpoint that could have allowed a user to ask the application for information from any one of the users.

Cybersecurity consultant Christian Angel added to Dumanhug’s analysis, saying the Application Programming Interface (API) endpoint was vulnerable.

Angel said, “the informant is exploiting the vulnerable application at the endpoint. As the endpoint of API sends sensitive information as a reply to a query, he just changed the number incrementally to get more information allowing him to access” the details of the users.

The app currently has 5,000 downloads, and is labeled as a “Volunteer Management System,” listing Creative Synergy Inc. as the developer. – Rappler.com