The website of Germany’s Alternative for Germany (AfD) party was found to be inadequately secured, allowing membership applications to be directly accessible in a web directory without proper protection measures. Internet activist N3ll4, also known as @n3ll41 on Twitter, drew attention to these security gaps. PDF files containing membership applications were easily accessible on a server under the AfD domain. These applications contain personally identifiable information including names, addresses, dates of birth, email addresses, and desired membership fees. Cybercriminals could potentially misuse this information for phishing attacks, blackmail, or threats.
Heise Online, a German technology news website, discovered that the directory containing membership applications was completely vulnerable to access. N3ll4 also highlighted other security gaps, such as the domain rb.afd.de offering password-protected access to certain services. The IT security expert mentioned that this password protection could be easily bypassed due to previous data leaks at the AfD. Surprisingly, access was not protected by two-factor authentication.
A vulnerability scanner also identified security gaps on the AfD’s domain, including a critical vulnerability in Apache’s mod_proxy that permits HTTP request smuggling. In response to Heise Online’s request for comment, the AfD press officer acknowledged the possibility of brief access to 15 membership applications, but stated that it was closed immediately after discovery. The party is currently investigating whether any violations of data protection regulations occurred, which would require notifying the affected individuals or the state data protection officer in Berlin.
Data leaks and security vulnerabilities are not exclusive to the AfD. Other political parties, such as the CDU, have also experienced similar issues. The CDU initially reported influencer Lilith Wittmann after she identified weaknesses in their campaign app and database, but later withdrew the complaint and issued an apology.