National security defects exposed

Author Nicky Hager's book, Dirty Politics.

A former Whangarei Boys' High pupil who describes himself as a "hobby hacker" has exposed security flaws in the National Party's website.

Josh Brodie, formerly of Whangarei but now living in Wellington, said his discovery left Prime Minister John Key open to accusations of "throwing 'Labour left the security off' stones from within a glass house".

Dirty Politics, a book by investigative journalist Nicky Hager, said senior National Party staffer Jason Ede and blogger Cameron Slater had accessed information from a poorly secured Labour Party computer system.

Mr Key defended their actions, saying it was not hacking because the site's security had been "left off". He compared it to the All Blacks taking a peek at the Wallabies' starting line-up if they had left it unsecured on a private website. However, Mr Brodie said his investigation of political party websites had found private information on National's members-only site was also unsecured.

The security flaw, while not on the same scale as Labour leaving its donor database open, allowed anyone to view or download photos of the 600-700 party members who had added profile pictures to their online accounts.

Mr Brodie said he had alerted the party and waited until the problem had been fixed before going public via his blog. National's HQ had moved "pretty quickly", contacting him on Thursday to say the problem had been fixed. A security flaw he had pointed out earlier had also been fixed.

The "hobby hacker" had started looking into political party website security, intending to start a non-partisan conversation about web security, before the Dirty Politics revelations emerged.

In the week between his discovery and the fix, Mr Brodie said he had winced every time he heard Mr Key make a statement about Labour leaving its website open.

National Party secretary Greg Hamilton confirmed a tech blogger had identified a minor issue with the party's membership website. The party had thanked him for his advice and fixed the issue.

Mr Brodie also found serious flaws on the Conservative Party's website allowing access to anything on the party's server, "which is basically game over as far as their security goes". He had alerted the party before writing in his blog.

"Hopefully it's becoming increasingly clear that political parties need to be aware of threats not only to their website security and member privacy, but to their reputation as being managers capable of running a tight ship.

"I'm not expecting our leaders or their campaign staff to be able to fix this s*** themselves, but I am expecting those in charge to be identifying areas where their knowledge is lacking, delegating to better qualified people and getting assurance that their bases are covered."

He was not a professional security tester, merely "some random guy ... who stumbles across these things".