Feeds

Labour forum leaks email addresses

'Unbelievably poor and sloppy coding'

SANS - Survey on application security programs

Basic design flaws on a Labour party members forum exposed the email addresses of users to harvesting.

Surfers who register through the site http://members.labour.org.uk were invited to confirm their membership, and activate their account, by clicking on the link in an email sent to a specified account.

The email follows the form http://members.labour.org.uk/man-auth/ActivationSent/10000XXXXX

A Reg reader who registered through the site realised that the number at the end of this URL is probably sequential, a unique id which refers to the account just registered. Sure enough, just changing the ID in the URL to a lower number led to the presentation of an email address of another registrant ...

"This is unbelievably poor and sloppy coding," our anonymous informant told El Reg  "Obviously you could use this flaw to extract a whole pile of email addresses. Spammers would love it. Guess there are also data protection issues because this breaks their own privacy policy."

Rik Ferguson, a security consultant at Trend Micro, helped El Reg confirm the flaw, which he explained had resulted from a failure to follow established best practice in website design.

"By simply stepping backwards through the number sequence it is possible to harvest the email addresses of all the people who have registered before you," Ferguson explained. "Of course this could easily be automated and the full list could be harvested in a few seconds."

"The problem is that whoever is responsible for the website design uses a direct object reference in the URL (ie: the sequential number). Not only is the reference direct, it is also sequential, making it simple to guess. Best practice is to avoid any kind of direct object reference, instead using the URL to point to an internal index or other indirect reference map. If the URL must contain a direct reference then access to it should be secured by authentication," he added.

We notified Labour's website of the flaw late last week. By Tuesday evening Labour digital staffers were well on top of the problem.

"The Labour Party is always looking for ways to improve our digital presence," a New Labour spokesman told El Reg. "We were already in the process of updating our website's sign-in security and as part of this, the issue in question has been resolved."

It's worth emphasising that the breach was restricted to email addresses and that no other information, much less payment information, was disclosed. Nonetheless the general public are entitled to hold Labour to a higher standard than a Mom and Pop shop, especially given the party's advocacy of putting such a large amount of citizens' personal information on databases while it was in power. Against this the potential rewards from a targeted phishing attack based on the easily obtained email list would have been considerable. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.