Tube tickets' new website reveals thousands of users' data

BarcelonaA new obstacle has come up in the launch of the Barcelona metropolitan area's new T-Mobilitat transport ticket. Monday's euphoria over the launch of the new website that allows travellers to register and acquire the new transport ticket has lasted under 48 hours. The Metropolitan Transport Authority (ATM) has had to quickly correct a serious security loophole that has exposed – from the start – personal data of thousands of users who registered on the website to order their new transport card.

The loophole was reported by a Bosnian computer who lives in Barcelona, Edin Kapić, who on Tuesday published what he had discovered on a Twitter thread: "I went in simply to log in, without any intention of auditing them," Kapić explains to ARA. Despite this, his short journey through the web and his computer skills led him to discover a serious security flaw. "When my wife wanted to register it came up with an error that constantly redirected her to the homepage, and as a computer engineer the first thing I did were typical steps, deleting cookies and restarting the website to see what happened". Kapić discovered "very basic" serious mistakes: "In the address bar there was a sign indicating that you could access the production system, i.e. that you could access the interior of the web design," he adds. "I thought «They couldn't possibly have left this test user open» because it's one of the first things you have to close when a website is finished and made available to the public. But it was indeed open," he explains.

So, this computer scientist was able to access the website as if he were an administrator. "I didn't have to do much, because I tried to log in with the typical user that all computer scientists create when we do tests: «User: test. Password: test»." Once inside the page, Kapić saw that he could access almost everything: "I could have changed the whole website, redirected it somewhere else and also accessed all the users, which at that time were more than 2,000 real people, because I checked," he explains in surprise. For Kapić, this is a serious security error: "When I saw the list with names, surnames, user names and everything, I stopped looking and I started to tweet to warn the ATM"

ATM admitted the mistake and immediately tried to close the security loophole. In another message on social networks, it assured through the profile created for T-Mobilitat that the error had been exposed user data but clarified that it was "for a limited time" and in "non-sensitive data". "The ATM will open a file on the company responsible for this web development", it justified in its message. Consulted by this newspaper, ATM did not want to add any other explanation but stressed that the error occurred in the middle of the testing phase, in time, they say, to correct it. The public body has not wanted to detail which company is ultimately responsible for the creation of the website.

The T-Mobilitat contract was signed in 2014 as a joint venture, a temporary union of companies, called SOC Mobilitat, which is basically formed by Indra, La Caixa, Moventia and Fujitsu. Thus, ATM's informative dossier is directed, therefore, against SOC Mobilitat, but everything makes the experts consulted think that the web and app development could have been carried out by a smaller subcontracted company. "The source code with which this website has been made is shoddy," Kapić assures this newspaper, adding: "It seems to have been done by a company subcontracted by a company subcontracted by the original company, or by a beginner who, moreover, has not been supervised by anyone. This often happens in the sector, with large companies outsourcing development to smaller companies to cut costs," the computer programming expert says. For its part, SOC Mobilitat has not wanted to give details to ARA either about the security problem nor about the company that developed it.

The umpteenth obstacle

The implementation of the T-Mobilitat has been a real obstacle course since the project began. The new ticket for metropolitan transport was initially due to be launched in autumn 2015, but since then it has accumulated numerous impediments and delays that have not allowed this type of ticket – which is already used in many European cities – to become available. The system aims to use a single rechargeable card (either physically or on a mobile phone) and for users to pay only for journeys and distance travelled, as with London's Oyster Card. For several years, the companies and the Generalitat blamed each other for the delay, then the project stalled in 2017 and by 2018 these delays had accumulated a cost overrun of €24m, a deviation that was 41% over the expected cost at the outset. Last year lockdown and the health crisis stemming from the coronavirus put the tests on hold, which finally began this summer. Now that the tests were opened to all citizens, a technical error on the website reignites debate on the protection of personal data and travel data that will be associated with this card, which for years has been announced as "the great revolution" in Catalonia's transport sector.