UK political donation websites are vulnerable to account attacks, potentially putting donor’s personal and financial details at risk.
DataDome researchers found that the donation platforms used by the UK’s seven major political parties – Labour, Conservatives, Liberal Democrats, Reform UK, SNP, Plaid Cymru and the Green Party – are missing critical security features to protect against bots and credential stuffing attacks.
Political donors often provide sensitive personal and financial information to parties, including their names, addresses and credit card details. Therefore, breaches of such data could cause financial fraud and identity theft.
Read now: Former Congressman Santos Admits Identity Theft and Fraud
This could lead to a loss of donor trust and reputational damage for the impacted parties, resulting in reduced donor engagement and financial losses for political campaigns, DataDome added.
“With the surge in elections has come a surge in campaign donations, resulting in large volumes of transactions being processed by donation platforms, making them attractive targets for cybercriminals,” the firm noted.
Account Security Failings on Donor Websites
The researchers highlighted numerous examples of missing cybersecurity features across the seven platforms.
- Only two of the seven websites, Labour and SNP, leverage reCAPTCHA to protect against bots. Even then, this feature is only used on account creation pages, not login pages. The use of reCAPTCHA is often not enough to prevent modern bot attacks due to the growing use of bypass techniques. These included CAPTCHA farms, where essentially humans train bots to solve CAPTCHA ‘tests’ on the target web application
- Four of the parties’ donation platforms did not offer an option to login, meaning it is possible to make donations without creating an official account, thereby reducing the barrier to entry for bot traffic and fraudsters
- For the three sites that did use login endpoints, Plaid Cymru, SNP, and Reform UK, the endpoints left completely unprotected, presenting a significant opportunity for account takeover. DataDome revealed it was able to create a bot capable of successfully logging into its own account without being challenged by any security countermeasures on these platforms
These issues put donor accounts at risk of credential stuffing attacks, the researchers said.
Read now: Account Takeovers Outpace Ransomware as Top Security Concern
Securing Political Donation Websites
The researchers urged the political party donation websites included in the analysis to deploy two-factor authentication across all critical user interactions, including logins and transactions, to add a layer of protection against unauthorised access.
The websites should also transition from basic CAPTCHA systems to bot management solutions that are resilient to bypass techniques like CAPTCHA farms.
Donors can reduce the risk of credential stuffing attacks by using a unique and strong password generated using a password manager.