Bright City App
Bright City has a number of majority security vulnerabilities that could make private information publicly available. Bright City/brightcityapps.com

Bright City, a “property lockbox app” used by a number police departments and municipalities, suffers from a number of security vulnerabilities that could result in personal information of residents being exposed.

The flaws were highlighted by Randy Westergren, a security researcher and senior software developer at XDA-Developers. After examining Bright City, Westergren called it “a highly insecure police and municipal government app.”

Read: Is Confide Private? Research Shows App Was Vulnerable To Attack

The premise of Bright City is to provide a direct connection between residents of a city and their local government and law enforcement. According to the app’s marketing, which presents it as a tool for local officials and residents, it can make “your entire government accessible by your citizens on one mobile app.”

Bright City—which is similar to Nextdoor but for local governments—offers a number of features, including the ability for residents to pay for citations, view and purchase tickets for local events, report suspicious activity, report potholes and areas in need of maintenance, request police patrol their neighborhood, and keep up-to-date with police activity through a newsfeed.

One of the primary features of the app is a “property lockbox,” which allows residents and businesses to add photos of their property, including serial and model numbers. The idea behind the feature is if the item is stolen, the person can quickly report it with full details.

Unfortunately, the app isn’t quite as private as it is presented. According to Westergren, the app “required no authentication whatsoever” when creating an account and retrieving a user’s information. It also returns a user’s password in plaintext, offering no protection or encryption of an account that may house sensitive information.

Read: Republicans Want Investigation On Government Employees Using Signal App

That privacy problem is compounded by the property lockbox feature. Westergren found the way the app is coded presents a directory listing issue that results in all of the uploaded documents and images in the app to be publicly available.

Not only was it possible for a person to freely access private photos uploaded by other users, but they could also spoof other user accounts and submit information on their behalf, creating potentially compromising situations for others—including government agencies and law enforcement operating on the app.

“Without a fundamental authentication requirement, the integrity of any app information or action/event cannot be guaranteed to be legitimate,” Westergren wrote. He called the risks associated with using the app “numerous and severe” and advised against its use.

“To be clear, there are user passwords (and other personal info), resident reports of suspicious persons, citizen electronic catalogs, and even payment information stored and used in this system—and none of it is safe,” Westergren said.

According to Westergren, he first reported the issues associated with the app on July 5 and received acknowledgement of the report the next day. By July 7, the app was taken offline in his county. It returned online by July 17 with an authentication system in place, but the majority of the other issues reported were unaddressed and continue to put users—both residents and local officials—at risk.