Westfield has had to disable a feature in its Malls iPhone app temporarily, after a software architect's investigation into the app found that it was enabling public access to information on the number plate numbers of those parked there, and time of entry to mall parking stations.
Software architect and Microsoft's most valuable professional Tony Hunt posted the results of his investigation into the "Find my Car" feature of the app on his personal blog.
The feature aims to help users find their car by providing them with images to identify their car, then directing them to the vehicle. The number plates are not visible in the images, according to the blog. But by using a tool to examine the information used by the app, Hunt discovered that they were exposed to anyone who looked for them.
The app was using information from Park Assist, which runs a service for shopping centres, which identifies free parking spaces. The Application Programming Interface from Park Assist did not require authentication, and could be used to discover the time of entry and the number plate of every car in the centre.
"What this means is that anyone with some rudimentary programming knowledge can track the comings and goings of every single vehicle in one of the country's busiest shopping centres," Hunt said.
"In an age where we've become surrounded by surveillance cameras, we expect our movements to be monitored by the likes of centre management or security forces, but not on public display to anyone with an internet connection!"
Hunt raised concerns that this information could be used for any number of concerning activities, such as to help a stalker track their victim, aid a suspicious husband in keeping an eye on their wife or notify a car thief when a car they are interested in enters the parking lot.
Park Assist had responded to Hunt's concerns quickly after he posted the blog, closing open access to the information.
Westfield confirmed that Park Assist had informed it yesterday that there was an issue with the authentication of its data feed into the iPhone, which resulted in number plate information being publicly accessible.
It said that the issue had been addressed and that the Find My Car function had been disabled, likely for one week, until the app has been modified to make sure that the data is not freely accessible. The app had been designed by specialist app developer Intunity.
"In terms of privacy, the application does not contravene the Privacy Act insofar as number plates are not 'personal information', and are therefore not subject to that Act," the company said in a statement. "Having said that, the application theoretically could be used for purposes other than its original intention; however, it does not facilitate any activity that couldn't already happen otherwise."
The shopping centre giant also pointed out that the application could help police, as well as unsavoury parties.
Hunt suggested that the app could operate with a lot less information to make it safer.