Scottish National Party members found among list of names signed up to rival Alba Party after website whoopsie

Alex Salmond’s Alba Party has got off to a rocky start after a coding error on its website appeared to expose the names of those signed up.

First reported by Scotland’s The Herald On Sunday, the names of more than 4,000 people who had signed up to attend events were inadvertently made public.

While the newspaper gleefully picked through the list to find high-profile members of the rival Scottish National Party (SNP), the nature of the error will cause disbelief in infosec circles.

According to the report, anyone who registerd with the site was given an ID, which could be used to share links to events with others. Those ID values were sequential, so simply changing the number on a link to an online event showed the person whose name corresponds with that ID as the referrer on the page.

The issue has apparently now been resolved.

It looks to us like a classic Insecure Direct Object Reference (IDOR) cock-up. Alba certainly wouldn’t be the first and, we’re sad to say, won’t be the last victim of such iffy coding (the likes of NurseyCam spring effortlessly to mind) although we imagine that the members of the SNP spotted on the list are in for a bit of a talking-to.

Security analyst Graham Cluley posted: “Is it possible the website was created in something of a rush, without proper consideration for user security? You might think that, I couldn’t possibly comment.”

Neither could we, although judging by some of the homepage’s sizing issues on show, the creators do seem to have been in a bit of a hurry.

And the site itself? “We will use your contact details to send you information on the topics you have requested,” it proudly proclaims. Oddly, it doesn’t say “and we’ll send your name to anyone with a passing knowledge of how to change an ID in an address.”

The Alba Party has yet to respond to The Register’s request for comment.

A spokesperson for Information Commissioner’s Office told us: “As a public body the ICO has to consider its responsibilities during the pre-election period. Our regulatory work continues as usual but we will not be commenting publicly on every issue raised during the Parliament Election.

“We will, however, be closely monitoring how personal data is being used during political campaigning and making sure that all parties and campaigns are aware of their responsibilities under data protection and direct marketing laws.” ®

READ MORE HERE