Feeds

back to article Labour forum leaks email addresses

Basic design flaws on a Labour party members forum exposed the email addresses of users to harvesting. Surfers who register through the site http://members.labour.org.uk were invited to confirm their membership, and activate their account, by clicking on the link in an email sent to a specified account. The email follows the …

COMMENTS

This topic is closed for new posts.
Headmaster

Anonymous?

Was your source Anonymous or anonymous?

1
0
Anonymous Coward

I'm shocked!

"A Reg reader who registered through the site"

There really are leftie fellow reg readers?! ;)

4
0
Anonymous Coward

Labour Lefties - an oxymoron.

One Anonymous Coward said "There really are leftie fellow reg readers?! ;)"

Another replies:

Since when were Labour Leftie? Have you had your eyes shut for the last 15 years?

.

5
0
Silver badge

@another AC

Yeah, you are partly right (though did you notice the ;) in the OC?), Labour was not that leftie. They were just plainly wrong.

2
0
Anonymous Coward

Explain

Is there some reason why you think having an analytical mind and not being a slave to corporatism are mutually exclusive?

0
0

This post has been deleted by a moderator

FAIL

FFS !!!!!!

Rule 1 of sending data in an URL is to encrypt it !!!! Notice, "encrypt", not "obscure".

0
3
Anonymous Coward

Rule 1 ...

... is to only put nonces or non-sensitive content IDs in GET requests.

Neither of which need to be encrypted.

0
0
Anonymous Coward

But to be fair...

This is the Labour Party and NOT the ex Labour Government, and they are different. Although that doesn't excuse them in any way.

3
0
Silver badge

On the upside

Labour's security flaws have moved on somewhat from the time when they invited you to email them your credit card number.

http://www.theregister.co.uk/2001/04/18/labour_party_in_web_security/

0
0
Anonymous Coward

Schoolboy Error

Even as an undergraduate I realised how bad an idea this was, I think i hashed timestamp+random salt if memory serves.

1
0

infinity and beyond

The trouble is that with hashed timestamp + random salt you can't cope with an infinite number of registrations without also having an infinite number of collisions - it's like planning for not_success.

To code for success you need to remove identifiers from a set (not necessarily an infinite set though).

Just because it's random doesn't mean it won't collide, it just means you'll have trouble detecting if the cause was a stray alpha particle or bad-luck.

When I started bigwig.net as a telinco visp, their signup system regularly assigned my users the same account-id; and I don't feel comfortable merely drawing from a bigger pool of random numbers without checking.

1
0
Anonymous Coward

You would code with pseudo-random

The technique would be to use a robust pseudo-random algorithm, there are plenty about in the crypto world, then size the wrap to be some large number, e.g. world population is 7 billion, assume everyone registers 14 times (just picked a number to round up to 100) , size for 100 billion before collisions. That's 38 bits salt and counter, or the equivalent of a 38 bit hash, which could be made larger or padded out.

Not guaranteed to avoid collisions, 100 billion + 1 registrations could land but nothing in life (except currently death) is an absolute.

1
0

even simpler

Just use the person email address

0
1
Anonymous Coward

No title req'd.

Something simple as a guid would suffice instead of the integer. (Not that I particularly like guids mind.) But using a linear stepping integer isn't really the problem. The email shouldn't be shown on the confirmation screen, nor should you be able to confirm the email more than once!

2
0
Silver badge

@Sam Liddicott

Technically, you may be right (although pseudo random algorithm is an answer, as others pointed out already). But let's consider we are talking about Labour. Would you really expect an infinite number of registrations?

2
0
Anonymous Coward

Well yeah, I didn't say it was any good.

It was a project at university, if i looked at it now that'd be the least of my worries code-wise. I was merely pointing out that I'd taken into an account an obvious security hole, rather than suggesting i'd come up with a foolproof solution.

1
0
FAIL

RE: even simpler

The whole point of a confirmation email is to prove you have control or access to the registered email address. If the identifier was just the email, someone could register other people's email addresses by faking the confirmation since they would be able to construct the confirmation url from known information.

0
0
FAIL

RE: even simpler

To follow what I just posted, here is a website that does just that...

http://www.nationalpetregister.org

A website that uses confirmation links of the form:

http://www.nationalpetregister.org/activate.php?e=example@example.com

The website also has a registration form where the password input has a type set to 'text' instead of 'password'...

0
0
FAIL

Labour!!!

Labour have no clue about IT. Just look at all the failed or horribly overbudget IT initiatives that they have implemented. Also, they havea penchant for gathering your data (database upon database of your data, including ID cards). Who wouldeven have thought that they could get a simple email system right?

4
0
Anonymous Coward

A step in the right direction

I can see they are serious about spending cuts: much cheaper to implement poor security than pay a public servant a 6 digits salary to copy the data on an overpriced USB drive and leave it in a public place.

Mind you, that's government related, so they could have paid a premium to have their security level decreased.

2
0

This post has been deleted by its author

Unhappy

The ICO will be on their ass like....

... a baby flea.

2
0
WTF?

No title req'd.

And just what the feck is a "Mom and Pop shop"?

4
0
Boffin

@ AC 12:32 Mom and Pop shops are:

I didn't know what that meant either so by the powers of google... here it is:

http://en.wikipedia.org/wiki/Small_business

0
0
Anonymous Coward

You want the title? You cant handle the title

Looks like they gave fixig it a shot ,course now it gives a "registration successful" no matter what you put into the url, so its obviously not checking anything to see if the last series of digits are even valid.

0
0
This topic is closed for new posts.