[Dataloss] Labour Forum Leaks Email Addresses

[Pete <pete () nrth org>]

By John Leyden - 9th February 2011

http://www.theregister.co.uk/2011/02/09/london_forum_email_privacy_breach/

Basic design flaws on a Labour party members forum exposed the email
addresses of users to harvesting.

Surfers who register through the site http://members.labour.org.uk were
invited to confirm their membership, and activate their account, by
clicking on the link in an email sent to a specified account.

The email follows the form
http://members.labour.org.uk/man-auth/ActivationSent/10000XXXXX

A Reg reader who registered through the site realised that the number at
the end of this URL is probably sequential, a unique id which refers to
the account just registered. Sure enough, just changing the ID in the
URL to a lower number led to the presentation of an email address of
another registrant ...

[...]


Regards,

Pete.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/