Dan Hastings

Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy

Summary The New York State (NYS) Excelsior scanner app is used by businesses or event venues to scan the QR codes contained in the NYS Excelsior wallet app to verify that an individual has either a negative COVID-19 test or their vaccination status. We have found that some data about the…

Read more

September 1, 2021

2 mins read

Read more

Technical Advisory – Shop app sends pasteboard data to Shopify’s servers

Summary In the Shop app when adding a package, any data that matches a specific format defined by Shopify that is contained on the global pasteboard (iOS) or clipboard (Android) is automatically sent without user interaction to Shopify’s servers. Impact Sensitive PII such as credit card numbers and passwords can…

Read more

July 2, 2021

2 mins read

Read more

Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup

Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords often live on the global pasteboard. If any sensitive data is contained on the pasteboard…

Read more

Tool Release – Solitude: A privacy analysis tool

Created by Dan Hastings and Emanuel Flores Solitude is an open source privacy analysis tool that enables you to conduct your own privacy investigations into where your private data goes once it leaves your web browser or mobile device. Whether a curious novice or a more advanced researcher, Solitude makes…

Read more