Basic design flaws on a Labour party members forum exposed the email addresses of users to harvesting. Surfers who register through the site http://members.labour.org.uk were invited to confirm their membership, and activate their account, by clicking on the link in an email sent to a specified account. The email follows the …
Was your source Anonymous or anonymous?
"A Reg reader who registered through the site"
There really are leftie fellow reg readers?! ;)
Labour Lefties - an oxymoron.
One Anonymous Coward said "There really are leftie fellow reg readers?! ;)"
Since when were Labour Leftie? Have you had your eyes shut for the last 15 years?
Yeah, you are partly right (though did you notice the ;) in the OC?), Labour was not that leftie. They were just plainly wrong.
Is there some reason why you think having an analytical mind and not being a slave to corporatism are mutually exclusive?
Rule 1 of sending data in an URL is to encrypt it !!!! Notice, "encrypt", not "obscure".
Rule 1 ...
... is to only put nonces or non-sensitive content IDs in GET requests.
Neither of which need to be encrypted.
But to be fair...
This is the Labour Party and NOT the ex Labour Government, and they are different. Although that doesn't excuse them in any way.
On the upside
Labour's security flaws have moved on somewhat from the time when they invited you to email them your credit card number.
Even as an undergraduate I realised how bad an idea this was, I think i hashed timestamp+random salt if memory serves.
infinity and beyond
The trouble is that with hashed timestamp + random salt you can't cope with an infinite number of registrations without also having an infinite number of collisions - it's like planning for not_success.
To code for success you need to remove identifiers from a set (not necessarily an infinite set though).
Just because it's random doesn't mean it won't collide, it just means you'll have trouble detecting if the cause was a stray alpha particle or bad-luck.
When I started bigwig.net as a telinco visp, their signup system regularly assigned my users the same account-id; and I don't feel comfortable merely drawing from a bigger pool of random numbers without checking.
You would code with pseudo-random
The technique would be to use a robust pseudo-random algorithm, there are plenty about in the crypto world, then size the wrap to be some large number, e.g. world population is 7 billion, assume everyone registers 14 times (just picked a number to round up to 100) , size for 100 billion before collisions. That's 38 bits salt and counter, or the equivalent of a 38 bit hash, which could be made larger or padded out.
Not guaranteed to avoid collisions, 100 billion + 1 registrations could land but nothing in life (except currently death) is an absolute.
Just use the person email address
No title req'd.
Something simple as a guid would suffice instead of the integer. (Not that I particularly like guids mind.) But using a linear stepping integer isn't really the problem. The email shouldn't be shown on the confirmation screen, nor should you be able to confirm the email more than once!
Technically, you may be right (although pseudo random algorithm is an answer, as others pointed out already). But let's consider we are talking about Labour. Would you really expect an infinite number of registrations?
Well yeah, I didn't say it was any good.
It was a project at university, if i looked at it now that'd be the least of my worries code-wise. I was merely pointing out that I'd taken into an account an obvious security hole, rather than suggesting i'd come up with a foolproof solution.
RE: even simpler
The whole point of a confirmation email is to prove you have control or access to the registered email address. If the identifier was just the email, someone could register other people's email addresses by faking the confirmation since they would be able to construct the confirmation url from known information.
RE: even simpler
To follow what I just posted, here is a website that does just that...
A website that uses confirmation links of the form:
The website also has a registration form where the password input has a type set to 'text' instead of 'password'...
Labour have no clue about IT. Just look at all the failed or horribly overbudget IT initiatives that they have implemented. Also, they havea penchant for gathering your data (database upon database of your data, including ID cards). Who wouldeven have thought that they could get a simple email system right?
A step in the right direction
I can see they are serious about spending cuts: much cheaper to implement poor security than pay a public servant a 6 digits salary to copy the data on an overpriced USB drive and leave it in a public place.
Mind you, that's government related, so they could have paid a premium to have their security level decreased.
The ICO will be on their ass like....
... a baby flea.
No title req'd.
And just what the feck is a "Mom and Pop shop"?
@ AC 12:32 Mom and Pop shops are:
I didn't know what that meant either so by the powers of google... here it is:
You want the title? You cant handle the title
Looks like they gave fixig it a shot ,course now it gives a "registration successful" no matter what you put into the url, so its obviously not checking anything to see if the last series of digits are even valid.