go to content
Politics

Jeremy Corbyn's New Campaign Website Has A Huge Security Flaw

The Momentum site allows users to pretend to be someone else by changing the name and email address – and could be used by fraudsters. Update: The developers told BuzzFeed they have fixed the issue.

Originally posted on
Updated on

But BuzzFeed News has discovered that the site has a glaring security flaw – it allows visitors to pretend to send a fake email as someone else. On the share page, you can input any name, any email address, and even change the message.

Although you can input a name and email address and change the message, the email subject always remains the same, "People's Momentum".

Most sites on the internet don't allow users to send emails with their own phrasing to avoid the risk of them being used to send fake or fraudulent messages. Other ways of achieving this would be too complicated for typical users – certainly harder than just typing details into an online form.

The Momentum site, however, would make it quite easy for online fraudsters – known as phishers – to send plausible-looking emails from banks or shopping sites in the hope that the recipient would follow a link within and hand over personal details.

Similarly, an email could appear apparently from a friend asking you if their Facebook profile has disappeared, with a genuine-looking link that again could steal your login details.

Those who input their own details into the website to share it with their friends are also inadvertently giving their email address to the campaign.

When the site was launched on Thursday morning, it did not include a privacy policy and there was nothing to tell users that their details would be stored.

After BuzzFeed News started working on this article – and after a spokesperson for the campaign was asked about the page – a privacy policy was uploaded to the "share" page. The policy notes that anyone who fills in a form on the website will have their information saved.

It is unclear whether the campaign also stores the details of those whose email address are entered into the website.

The spokesperson said they would "look into" the page with their tech engineers.

UPDATE

BuzzFeed News has been assured that this flaw has been fixed.

Siraj Datoo is a political reporter for BuzzFeed News and is based in London.

Contact Siraj Datoo at siraj.datoo@buzzfeed.com.

Got a confidential tip? Submit it here.