Alex Salmond’s Alba party website leaks data in IDOR foul-up

Alex Salmond’s Alba party website leaks data in IDOR foul-up

It’s just two days since former SNP leader Alex Salmond launched a brand new political party to campaign for an independent Scotland.

And already it has suffered a data breach.

As Scotland’s Herald on Sunday newspaper reports, a vulnerability on the Alba’s website left the names of thousands of people who had signed-up to attend the party’s events exposed.

According to the newspaper, the names of 4,325 people were publicly visible on the Alba website due to a sloppy and easy-to-exploit coding error:

Anyone who registers is given a “recruiter ID” which allows them to share links to events with others they think may like to attend.

However, the IDs assigned are in sequential order, and simply changing this number on any link to an online event provides the name of the person who has signed up whose name corresponds with that ID. Their name is listed as a “referrer” on the page.

The newspaper appears to be describing an Insecure Direct Object Reference (IDOR) vulnerability – not only one of the most commonly-encountered problems on poorly-designed web applications, but also simple for an attacker to exploit.

Sign up to our newsletterSecurity news, advice, and tips.

According to the newspaper, the leak revealed that the names of at least eight members of the SNP’s ruling body had signed-up for Alba events – which could prove politically embarrassing.

Is it possible the website was created in something of a rush, without proper consideration for user security? You might think that, I couldn’t possibly comment.