Beware of security: Babiv web mistakenly issued e-mails to the fan

The website, which belongs to the YES political movement, should have secured a secure check-out. Anyone could – very uncomfortably – look at the e-mail addresses of tens of thousands of people. The site administrator corrected the error after being notified.

he pointed out a very interesting example of predatory security. On the website (fifth party political party Andrej Babie – YES 2011), he came across a poorly designed page to join an e-mail. There was a word in the URL that corresponded to the service of the registered user in the database.

Because the address did not contain any other parameters (for example, a single authorized key or a random string) and did not require another date, anyone could unsubscribe from any number of customers. And what about him, in the moment when he clicked on the Unsubscribe button to remove the subscription from the list, he also learned the entire e-mail address of this fan or newsletter subscriber.

The website contained a security error

The website contained a zabezpeen error

The error was replicated to several randomly selected hearing. Depending on the user’s address address. If someone would do a little work, they could use the script sending the automatic requests to get the e-mails of all subscribers in this way (and at the same time unsubscribe them).


Ukzka unique e-mail address. Stailo zmnit slo v URL.

Under the conditions (newly adjusted to the GDPR base), the operator will only have access to personal data if the movement’s authorized employees will have access (myth, YES Movement 2011).

Citation from cond

Quotes from the conditions of the website, section Loading with your personal data

We contacted the operator at the address [email protected] with a question about how the errors occurred and how to correct them. We have not received a reply yet, if we arrive later, we will add it to the link.

However, after our query (not sure whether it is based on our query), the operator modified the website so that e-mail addresses are not visible after the unveiling. The current version of the website does not contain a slot, the losk version of the website stated: The sponsor YES 2011 and the developer Digital Wizards, referring to the Ostrava digital agency. However, it clearly distanced itself from the new website: We worked with YES, and another agency took over the work. The website was written, and unfortunately it was not fully published, Michal erbk stated in the editorial office at first.

This rather insignificant episode should serve mainly as a warning for both beginners and experienced webmasters. Even seemingly insignificant functions, such as unsubscribing from a newsletter, must be considered as secure communication. And the user’s action (or even the website) must not allow access to another user’s data. In this case, it would be enough to provide a link to the newsletter subscription with a one-time unique key from which the original address cannot be output. This ensures that no one can access the other people’s e-mail addresses.