NZ: Labour Leaks — How I did it

While LulzSec has been making child’s play of Sony’s security, a blogger named Cameron Slater (WhaleOil) has been embarrassing the heck out of the National Labour Party in New Zealand.  In the last two days, he has written  more about their breach mentioned previously on this blog:

Labour and their proxy bloggers have been telling a great many lies about how I got access to their web site, to their credit card donations and to their membership lists.

[…]

I knew that Labour would go personal, I knew they would fling mud and I knew that they would call me a hacker. So before I pulled the trigger on this series of leaks I made a video to prove how I accessed their data.

The video is damning. People should be sacked. The story is not about who accessed their site when, it is about the fact that ANYONE could and did.

Read more and watch the video on WhaleOil.

In a subsequent blog entry, Cameron adds:

[…]

Remember that Chris Flatt the Labour General Secretary sent out a letter and email to their donors assuring them that their credit card details were safe. He shouldn’t have been too hasty with that assurance.

In the MySQL data base files there were also plain txt strings that contained other database passwords along with the user name and passwords of their credit card provider.

$db_url = ‘mysqli://labour_admin:N0t3b00kC0r0n3t@localhost/labour_production’;

which equates to $db_url = ‘mysqli://username:password@localhost/databasename’;

Their credit card provider admin details were:

“Flo2Cash_Donate\”;s:9:\“user_name\”;s:8:\“nzlabour\”;s:8:\“password\”;N;s:9:\“signature\”;N;s:8:\“url_site\”;s:63:\

“https://secure.flo2cash.co.nz/donations/labourparty/donate.aspx\”;s:7:\“url_api\”;N;s:9:\“url_recur\”;s:63:\

“https://secure.flo2cash.co.nz/donations/labourparty/donate.aspx\”

This shows the appalling lack of security not only for the donor and membership details but also with regard to user names and passwords for other secure areas.

Read more on WhaleOil.