Alex Salmond’s Alba party website leaks data in IDOR foul-up

Alex Salmond’s Alba party website leaks data in IDOR foul-up

Alex Salmond's Alba party website leaks data in IDOR foul-up

It’s just two days since former SNP leader Alex Salmond launched a brand new political party to campaign for an independent Scotland.

And already it has suffered a data breach.

As Scotland’s Herald on Sunday newspaper reports, a vulnerability on the Alba’s website left the names of thousands of people who had signed-up to attend the party’s events exposed.

According to the newspaper, the names of 4,325 people were publicly visible on the Alba website due to a sloppy and easy-to-exploit coding error:

Anyone who registers is given a “recruiter ID” which allows them to share links to events with others they think may like to attend.

However, the IDs assigned are in sequential order, and simply changing this number on any link to an online event provides the name of the person who has signed up whose name corresponds with that ID. Their name is listed as a “referrer” on the page.

The newspaper appears to be describing an Insecure Direct Object Reference (IDOR) vulnerability – not only one of the most commonly-encountered problems on poorly-designed web applications, but also simple for an attacker to exploit.

EmailSign up to our newsletter
Security news, advice, and tips.

According to the newspaper, the leak revealed that the names of at least eight members of the SNP’s ruling body had signed-up for Alba events – which could prove politically embarrassing.

Is it possible the website was created in something of a rush, without proper consideration for user security? You might think that, I couldn’t possibly comment.

According to the Herald on Sunday, the flaw has now been fixed.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *