- Jan 24, 2011
- 9,378
A design flaw on the forum of the UK Labour Party allowed potential spammers to harvest the email addresses of registered members.
The security issue was located in the account activation process which involved users confirming their email address by clicking on an unique link sent to them.
According to The Register, the activation URLs were of the form http://members.labour.org.uk/man-auth/ActivationSent/10000##### (where # stands for a digit).
The problem is that the activation number is sequential, meaning that by simply modifying the final digit, one could see the email addresses of people who registered before them.
Under such circumstances, an ill-intentioned individual could easily create an automated program that would go through all the numbers and extract the email addresses.
This email list could later be used to launch spam, or even worse, phishing campaigns targeting registered forum members.
Source
The security issue was located in the account activation process which involved users confirming their email address by clicking on an unique link sent to them.
According to The Register, the activation URLs were of the form http://members.labour.org.uk/man-auth/ActivationSent/10000##### (where # stands for a digit).
The problem is that the activation number is sequential, meaning that by simply modifying the final digit, one could see the email addresses of people who registered before them.
Under such circumstances, an ill-intentioned individual could easily create an automated program that would go through all the numbers and extract the email addresses.
This email list could later be used to launch spam, or even worse, phishing campaigns targeting registered forum members.
Source
