BreachExchange mailing list archives
[Dataloss] Labour Forum Leaks Email Addresses
From: Pete <pete () nrth org>
Date: Thu, 10 Feb 2011 06:59:43 +0000
By John Leyden - 9th February 2011 http://www.theregister.co.uk/2011/02/09/london_forum_email_privacy_breach/ Basic design flaws on a Labour party members forum exposed the email addresses of users to harvesting. Surfers who register through the site http://members.labour.org.uk were invited to confirm their membership, and activate their account, by clicking on the link in an email sent to a specified account. The email follows the form http://members.labour.org.uk/man-auth/ActivationSent/10000XXXXX A Reg reader who registered through the site realised that the number at the end of this URL is probably sequential, a unique id which refers to the account just registered. Sure enough, just changing the ID in the URL to a lower number led to the presentation of an email address of another registrant ... [...] Regards, Pete. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- [Dataloss] Labour Forum Leaks Email Addresses Pete (Feb 10)