MoveOn.org is a well funded web-based organization. But their latest venture into polling their membership for an endorsement has SERIOUS privacy and security flaws.
A few years ago I was contracted by a friend to develop web software for an internet porn site. Say what you will about the rightness or wrongness of porn, but to a code monkey the challenge of designing a secure system of delivering streaming video from 23 cameras (not to mention a blank check to purchase equipment) was too good to pass up.
I learned a lot of things from that experience, not the least of which is that there are a whole lot of very clever people who REALLY like porn - preferably for free. I won't bore you with all of the details, but suffice it to say that 90% of my time was spent figuring out how people were exploiting the security loopholes and trying to shut them down.
In the grand scheme of things, I was an IT department of one and since our billing was handled by a third party, the worst consequence of a security loophole was someone being able to view porn for free. Eventually the business was sold off to some random porn conglomerate and I moved on to other contracts.
The months that I spent re-coding security routines and countering loopholes left a very real mark on the way that I view the internet. When I stumble across a new web system that requests my personal information the first thing that I do is to look for security weaknesses before I participate.
MoveOn.org sent e-mail out to all of its members requesting that they vote on a candidate to endorse. Embedded in the e-mail is a link that you can click on to cast your vote.
Once you have cast your vote you are instructed to enter your phone number for verification. A small number of participants will be randomly called to verify their identity - meaning that if you do not enter your real phone number, your vote may not count.
Once your vote is submitted you receive a confirmation e-mail thanking you for your vote along with a link to switch your vote if you choose to.
As has already been discovered by other diarists, ANYONE can click on this link and change YOUR vote as your unique voting ID is embedded in the link. On the surface this seems like a minor security flaw, after all the system will send out a confirmation e-mail anytime your vote is changed so you will know if something funny is happening.
No big deal ... right?
The page that you are taken to when you change your vote contains your Name and your telephone number. This information is presented on an unencrypted page in "cleartext". If you look closely at the embedded voting id that is part of your link, it may appear to be a collection of random letters and numbers. If, however, you manage to get your hands on 3 or 4 of these links you will notice a definite pattern to the numbers.
So what does all of this mean?
It means that it would be relatively trivial for a programmer to write a small program that generates voting ids matching the pattern and (because your name and phone number are in VERY specific places on the page and in cleartext) capture your name and phone number. It would not take more than a day to collect every single name and phone number of the people who participated in the voting.
Want a database of MoveOn.org members who live in California who are voting for Hillary Clinton? Done.
Want a database of MoveOn.org members who live in Alabama who are voting for Obama along with their cell phone and unpublished numbers? Done.
Please join me in alerting MoveOn.Org of this problem. You can contact them here