The CPC 2018 app allowed anyone to log in as a politician, delegate or journalist attending the Birmingham event simply using their email address.
Once logged in as that person, they were able to access information including their mobile phone numbers.
Images posted to Twitter on Saturday afternoon showed people logging in as Boris Johnson and Michael Gove among others and apparently leaving messages on its internal messaging system.
Guardian Columnist Dawn Foster, who was one of the first to spot the flaw, wrote: “FFS, the Tory conference app allows you to log in as other people and view their contact details just with their email address, no emailed security links, and post comments as them.
“They’ve essentially made every journalist, politician and attendee’s mobile number public. Fantastic.”
The app, created by an Australian firm called Crown Comms, was updated and the login function removed after concerns were raised with the party.
Jon Trickett, shadow cabinet office minister, said: “How can we trust this Tory Government with our country’s security when they can’t even build a conference app that keeps the data of their members, MPs and others attending safe and secure?
“The Conservative Party should roll out some basic computer security training to get their house in order.”