14 DAY TRIAL // A design flaw on the forum of the UK Labour Party allowed potential spammers to harvest the email addresses of registered members.
The security issue was located in the account activation process which involved users confirming their email address by clicking on an unique link sent to them.
According to The Register, the activation URLs were of the form http://members.labour.org.uk/man-auth/ActivationSent/10000##### (where # stands for a digit).
The problem is that the activation number is sequential, meaning that by simply modifying the final digit, one could see the email addresses of people who registered before them.
Under such circumstances, an ill-intentioned individual could easily create an automated program that would go through all the numbers and extract the email addresses.
This email list could later be used to launch spam, or even worse, phishing campaigns targeting registered forum members.
"The problem is that whoever is responsible for the website design uses a direct object reference in the URL (ie: the sequential number). Not only is the reference direct, it is also sequential, making it simple to guess," Rik Ferguson, senior security advisor at Trend Micro, said.
"Best practice is to avoid any kind of direct object reference, instead using the URL to point to an internal index or other indirect reference map. If the URL must contain a direct reference then access to it should be secured by authentication," he added.
This is similar to the bug exploited by two greyhat hackers last year on AT&T's website to extract the email addresses of iPad owners, allegedly for demonstrative purposes. The self-entitled security researchers are now subject of a criminal prosecution.
Fortunately, the vulnerability on the Labour Party forum was discovered and responsibly reported by a member. A party spokesperson confirmed that it has since been fixed and the entire website sign-in process was updated.