Thursday, August 13, 2009

Labour MP gives me, Google and the world her password

It's funny what you discover sometimes when you're doing the daily trawl of things and looking for something to blog. Today was one of those days. I was scanning through the Register of Members' Interests and saw that Gisela Stuart MP had been paid for an article in the German weekly newspaper, Die Zeit.

I was curious what the article might be about, so off I went to Google. Slight problem though, I accidentally hit return on the keyboard before typing in the word "Zeit" and ending up searching for "Gisella Stuart Die" (unfortunate I know) and spotted a strange response at the top of the search.
Ooooo, "what's that?" I thought? Something has gone wrong there and Google has code instead of content and it looks like code for what to do when a connection statement to a database fails (hence the "die").

So I followed the link and 'lo, it came to pass! I had in my possession the username and password for Gisela Stuart's database and probably her website CMS too - worse still it was also in Google's cache.

At this point I did what any self-respecting blogging sysadmin would do. I called Gisela Stuart's Parliamentary office, then her constituency office, then handily I spotted the web design company was linked on the site so called them, The Social Media Partnership.

They took the matter seriously and have fixed it and changed the login credentials in less than half an hour - good work. However, there is an important lesson to be learned here.

Just think what could have happened with that information?

Update: The web design company has been in touch to advise that the cause of this problem was due to a data migration to a new platform and that 25 rogue entries which reference the previous system had leaked through the migration process and have now all been removed.

The credentials above are apparently no longer valid on any active systems and they say were not valid on the new platform after the migration. Nevertheless, the company also advised that they "take credential leaks very seriously and the system will be undergoing a security review this afternoon".

Fair play to them I say, and understandable too. Sometimes people have a tendancy to use the same password in places and this could, potentially at least, expose other sites to security failing. A review under the circumstances is perfectly sensible I'd say.

No comments: