Security bungle exposes 450 NZ Labor supporters

A furore has erupted across the Tasman after a right-wing blogger promised to release 452 names and 18,000 email addresses of New Zealand Labor Party supporters obtained through basic security failures in the party’s web site donation portal.

Anna Cervova, public domain

Blogger Cameron Slater told SC Magazine Australia today that he would release the names, addresses and donation information of the party supporters obtained through the holes “over the coming months” and said is confident he had legal authority to do so.

Slater discovered the Labor Party’s Civi Customer Relationship Management database, which operates on the open source Droopal platform, cached by Google search. With it he found unencrypted administrative passwords and backups located on public facing servers.

Worse, he said the administration passwords he obtained for the Labor Party website were also used to access the Party’s payment transaction facility, flo2cash.

Slater, a former change management head of a major bank, advised the Labor Party of the password bungle yesterday after it moved to reassure members that their financial details were safe and said it had changed the access credentials.

Labor Party President Moria Coatsworth was unavailable for comment today, but the party said the security flaws had been fixed and it had investigated the incident.

“They have left their data to be cached by Google. It doesn’t take Chinese hackers to obtain it,” Slater said.

“It was complete ineptitude. They had created backups in public directories.

“That is like putting your TV and video player out on the front lawn and wondering why it was stolen.”

Slater said despite his right wing stance, his efforts were apolitical because he “would do the same if it were the National Party”.

“It’s about bad security.”

The 452 names were collated through donations over a four-month period, and email addresses were harvested during social media campaigns used to subscribe members.

A staffer in the rival National Party had also obtained the names and email addresses but denied allegations by Coatsworth that it supplied the information to Slater.

“This is a politically motivated attack. The National Party had a choice to alert us to this vulnerability in our system. Instead they chose to exploit it and to download the material and pass the gap onto the blogger who they knew would reveal private information,” Coatsworth said in a statement.

Chris Gatford, director of penetration testing firm HackLabs told SC Magazine that “default passwords and poor configurations and failure to patch” are key elements used to compromise web sites.

Copyright © SC Magazine, Australia