StatCounter

Wednesday, 9 February 2011

The Labour party and web security

The Register reports a very basic security problem identified an insecure registration problem on the Labour party website:
'Surfers who register through the site http://members.labour.org.uk were invited to confirm their membership, and activate their account, by clicking on the link in an email sent to a specified account.

The email follows the form http://members.labour.org.uk/man-auth/ActivationSent/10000XXXXX

A Reg reader who registered through the site realised that the number at the end of this URL is probably sequential, a unique id which refers to the account just registered. Sure enough, just changing the ID in the URL to a lower number led to the presentation of an email address of another registrant ...

"This is unbelievably poor and sloppy coding," our anonymous informant told El Reg "Obviously you could use this flaw to extract a whole pile of email addresses. Spammers would love it. Guess there are also data protection issues because this breaks their own privacy policy."

Rik Ferguson, a security consultant at Trend Micro, helped El Reg confirm the flaw, which he explained had resulted from a failure to follow established best practice in website design.'
Not very impressive especially from the same party that assured us whilst they were in office that our data would always be secure in one of the myriad of databases they wanted to set-up.

No comments: