It’s just two days since former SNP leader Alex Salmond launched a brand new political party to campaign for an independent Scotland.
And already it has suffered a data breach.
As Scotland’s Herald on Sunday newspaper reports, a vulnerability on the Alba’s website left the names of thousands of people who had signed-up to attend the party’s events exposed.
According to the newspaper, the names of 4,325 people were publicly visible on the Alba website due to a sloppy and easy-to-exploit coding error:
Anyone who registers is given a “recruiter ID” which allows them to share links to events with others they think may like to attend.
However, the IDs assigned are in sequential order, and simply changing this number on any link to an online event provides the name of the person who has signed up whose name corresponds with that ID. Their name is listed as a “referrer” on the page.
The newspaper appears to be describing an Insecure Direct Object Reference (IDOR) vulnerability – not only one of the most commonly-encountered problems on poorly-designed web applications, but also simple for an attacker to exploit.
According to the newspaper, the leak revealed that the names of at least eight members of the SNP’s ruling body had signed-up for Alba events – which could prove politically embarrassing.
Is it possible the website was created in something of a rush, without proper consideration for user security? You might think that, I couldn’t possibly comment.
According to the Herald on Sunday, the flaw has now been fixed.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Alex Salmond’s Alba party website leaks data in IDOR foul-up”
I wonder what the newspaper's legal situation is now in relation to computer misuse legislation, given that having discovered/been told of the flaw they then went through 4k+ ID numbers and exfiltrated the names thus revealed. Since it was only names that were exposed, the fact that they have included some in the report without knowing if they are the people they allege them to be also seems a bit iffy legally.
When searching the ICO's public register of data controllers based on partial name ('Alba') or post code I was unable to find the registration details of the Alba Party.
It wasn't really a coding error. They used NationBuilder. Which allows you to set activity streams to public. This is often used for things like fundraisers where people can said "John donated £20!"
In effect, they made the activity stream public with an option in the back-end, even if they didn't display it anywhere. So it wasn't a developer who made the mistake – it was the person configuring the website. Whether the software should make such an easy mistake easy for a website admin to implement is another question.