Dan Hastings
Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy
Summary The New York State (NYS) Excelsior scanner app is used by businesses or event venues to scan the QR codes contained in the NYS Excelsior wallet app to verify that an individual has either a negative COVID-19 test or their vaccination status. We have found that some data about the…
Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
Summary In the Shop app when adding a package, any data that matches a specific format defined by Shopify that is contained on the global pasteboard (iOS) or clipboard (Android) is automatically sent without user interaction to Shopify’s servers. Impact Sensitive PII such as credit card numbers and passwords can…
Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords often live on the global pasteboard. If any sensitive data is contained on the pasteboard…
Tool Release – Solitude: A privacy analysis tool
Created by Dan Hastings and Emanuel Flores Solitude is an open source privacy analysis tool that enables you to conduct your own privacy investigations into where your private data goes once it leaves your web browser or mobile device. Whether a curious novice or a more advanced researcher, Solitude makes…