back to article Labour forum leaks email addresses

Basic design flaws on a Labour party members forum exposed the email addresses of users to harvesting. Surfers who register through the site http://members.labour.org.uk were invited to confirm their membership, and activate their account, by clicking on the link in an email sent to a specified account. The email follows the …

COMMENTS

This topic is closed for new posts.
  1. JakeyC
    Headmaster

    Anonymous?

    Was your source Anonymous or anonymous?

  2. Anonymous Coward
    Anonymous Coward

    I'm shocked!

    "A Reg reader who registered through the site"

    There really are leftie fellow reg readers?! ;)

    1. Anonymous Coward
      Anonymous Coward

      Labour Lefties - an oxymoron.

      One Anonymous Coward said "There really are leftie fellow reg readers?! ;)"

      Another replies:

      Since when were Labour Leftie? Have you had your eyes shut for the last 15 years?

      .

      1. Evil Auditor Silver badge

        @another AC

        Yeah, you are partly right (though did you notice the ;) in the OC?), Labour was not that leftie. They were just plainly wrong.

    2. Anonymous Coward
      Anonymous Coward

      Explain

      Is there some reason why you think having an analytical mind and not being a slave to corporatism are mutually exclusive?

  3. Anonymous Coward
    FAIL

    FFS !!!!!!

    Rule 1 of sending data in an URL is to encrypt it !!!! Notice, "encrypt", not "obscure".

    1. Anonymous Coward
      Anonymous Coward

      Rule 1 ...

      ... is to only put nonces or non-sensitive content IDs in GET requests.

      Neither of which need to be encrypted.

  4. Anonymous Coward
    Anonymous Coward

    Schoolboy Error

    Even as an undergraduate I realised how bad an idea this was, I think i hashed timestamp+random salt if memory serves.

    1. Sam Liddicott

      infinity and beyond

      The trouble is that with hashed timestamp + random salt you can't cope with an infinite number of registrations without also having an infinite number of collisions - it's like planning for not_success.

      To code for success you need to remove identifiers from a set (not necessarily an infinite set though).

      Just because it's random doesn't mean it won't collide, it just means you'll have trouble detecting if the cause was a stray alpha particle or bad-luck.

      When I started bigwig.net as a telinco visp, their signup system regularly assigned my users the same account-id; and I don't feel comfortable merely drawing from a bigger pool of random numbers without checking.

      1. Anonymous Coward
        Anonymous Coward

        You would code with pseudo-random

        The technique would be to use a robust pseudo-random algorithm, there are plenty about in the crypto world, then size the wrap to be some large number, e.g. world population is 7 billion, assume everyone registers 14 times (just picked a number to round up to 100) , size for 100 billion before collisions. That's 38 bits salt and counter, or the equivalent of a 38 bit hash, which could be made larger or padded out.

        Not guaranteed to avoid collisions, 100 billion + 1 registrations could land but nothing in life (except currently death) is an absolute.

      2. Anonymous Coward
        Anonymous Coward

        No title req'd.

        Something simple as a guid would suffice instead of the integer. (Not that I particularly like guids mind.) But using a linear stepping integer isn't really the problem. The email shouldn't be shown on the confirmation screen, nor should you be able to confirm the email more than once!

      3. Evil Auditor Silver badge

        @Sam Liddicott

        Technically, you may be right (although pseudo random algorithm is an answer, as others pointed out already). But let's consider we are talking about Labour. Would you really expect an infinite number of registrations?

      4. Anonymous Coward
        Anonymous Coward

        Well yeah, I didn't say it was any good.

        It was a project at university, if i looked at it now that'd be the least of my worries code-wise. I was merely pointing out that I'd taken into an account an obvious security hole, rather than suggesting i'd come up with a foolproof solution.

    2. mafoo

      even simpler

      Just use the person email address

      1. Restricted Access
        FAIL

        RE: even simpler

        The whole point of a confirmation email is to prove you have control or access to the registered email address. If the identifier was just the email, someone could register other people's email addresses by faking the confirmation since they would be able to construct the confirmation url from known information.

      2. Restricted Access
        FAIL

        RE: even simpler

        To follow what I just posted, here is a website that does just that...

        http://www.nationalpetregister.org

        A website that uses confirmation links of the form:

        http://www.nationalpetregister.org/activate.php?e=example@example.com

        The website also has a registration form where the password input has a type set to 'text' instead of 'password'...

  5. Anonymous Coward
    Anonymous Coward

    On the upside

    Labour's security flaws have moved on somewhat from the time when they invited you to email them your credit card number.

    http://www.theregister.co.uk/2001/04/18/labour_party_in_web_security/

  6. Anonymous Coward
    Anonymous Coward

    But to be fair...

    This is the Labour Party and NOT the ex Labour Government, and they are different. Although that doesn't excuse them in any way.

  7. slooth
    FAIL

    Labour!!!

    Labour have no clue about IT. Just look at all the failed or horribly overbudget IT initiatives that they have implemented. Also, they havea penchant for gathering your data (database upon database of your data, including ID cards). Who wouldeven have thought that they could get a simple email system right?

  8. Anonymous Coward
    Anonymous Coward

    A step in the right direction

    I can see they are serious about spending cuts: much cheaper to implement poor security than pay a public servant a 6 digits salary to copy the data on an overpriced USB drive and leave it in a public place.

    Mind you, that's government related, so they could have paid a premium to have their security level decreased.

  9. This post has been deleted by its author

  10. Anonymous Coward
    WTF?

    No title req'd.

    And just what the feck is a "Mom and Pop shop"?

    1. TrixyB
      Boffin

      @ AC 12:32 Mom and Pop shops are:

      I didn't know what that meant either so by the powers of google... here it is:

      http://en.wikipedia.org/wiki/Small_business

  11. Not Fred31
    Unhappy

    The ICO will be on their ass like....

    ... a baby flea.

  12. Anonymous Coward
    Anonymous Coward

    You want the title? You cant handle the title

    Looks like they gave fixig it a shot ,course now it gives a "registration successful" no matter what you put into the url, so its obviously not checking anything to see if the last series of digits are even valid.

This topic is closed for new posts.

Other stories you might like