Summary
The Albanian Parliament (parlament.al) serves a React SPA frontend backed by an ASP.NET OData API hosted on Azure. The API requires zero authentication. Any person on the internet can query the OData API at kuvendiapi.azurewebsites.net and retrieve full personally identifiable information for all 236 Members of Parliament, plus a catalog of 54,545 publicly accessible Azure Blob Storage documents.
Discovery Method
parlament.al returns HTTP 200 for all URL paths — a React SPA catch-all that initially appeared to be a dead end. Standard endpoint probing produced no results. However:
- The main React JS bundle was downloaded:
main.[hash].js(355 KB minified) - String extraction from the minified bundle revealed a hardcoded API base URL:
https://kuvendiapi.azurewebsites.net/api - Further analysis of minified webpack variable names extracted seven OData entity names:
anetaret,strukturat,aktet,lajmet,mbledhjet,dokumentet,YouTube/search - All seven endpoints responded to unauthenticated HTTP GET requests
- One additional endpoint (
/abonimet) was probed and returned 401 — the only protected endpoint in the API
No authentication was bypassed. No exploits were used. The API was wide open by default.
Open API Endpoints
| Endpoint | Records / Size | Content | Status |
|---|---|---|---|
| /anetaret | 236 records / 138 KB | MP records — full PII | OPEN |
| /strukturat | 274 KB | Parliamentary committees | OPEN |
| /aktet | 3.1 MB | Legislative acts, interpellations | OPEN |
| /lajmet | 19.8 MB | Parliamentary news articles | OPEN |
| /mbledhjet | 2.2 MB | Session and meeting records | OPEN |
| /dokumentet | 54,545 URLs / 30.2 MB | Document catalog with direct Azure Blob URLs | OPEN |
| /YouTube/search | 8 KB | YouTube video search proxy | OPEN |
| /abonimet | — | Subscriptions | 401 (Protected) |
MP PII Exposure — 236 Records
Each record in the /anetaret response contains the following fields for every Member of Parliament:
- Full legal name: first name (Emri), father’s name (Atesia), surname (Mbiemri)
- Date of birth (Datelindja)
- Place of birth (Vendlindja)
- Official email address — @parlament.al
- Political party affiliation (Partia)
- Electoral district (Zona)
- Profile photo URL (Azure Blob Storage)
- Social media: Facebook, Twitter/X, LinkedIn links
- Active / inactive status (Aktiv)
Additionally, a separate anetaret_active.json response filters to currently active MPs. An mp-email-list.txt of all 236 @parlament.al addresses was compiled from the API response (24 KB).
GET https://kuvendiapi.azurewebsites.net/api/anetaret
HTTP/1.1 200 OK
Content-Type: application/json; odata.metadata=minimal
{
"Emri": "[REDACTED]",
"Atesia": "[REDACTED]",
"Mbiemri": "[REDACTED]",
"Datelindja": "1975-XX-XX",
"Vendlindja": "Tiranë",
"Email": "[REDACTED]@parlament.al",
"Partia": "Partia Socialiste",
"Zona": "Tiranë",
"Facebook": "https://facebook.com/[REDACTED]",
"Aktiv": true
}Azure Blob Storage — 54,545 Public Documents
The /dokumentet endpoint returns a 30.2 MB JSON catalog. Container listing on kuvendiwebfiles.blob.core.windows.net/webfiles/ is disabled — but all 54,545 blob URLs are enumerable via the API response, and individual blobs have public read access enabled. Direct URL construction from the catalog entries retrieves documents without authentication.
| File Type | Count |
|---|---|
| 32,627 | |
| JPEG | 9,831 |
| JPG | 8,458 |
| JFIF | 1,768 |
| DOCX | 885 |
| DOC | 397 |
| XLSX | 392 |
| PNG | 208 |
| XLS | 117 |
Key Documents Identified in the Catalog
- MP Salary Spreadsheets (PAGA DEPUTETE) — monthly, 2018–2020
- MP Benefits Records (PERFITIME DEPUTETE) — monthly, 2018–2020
- Lobbyist Registry (Regjistri elektronik i Lobisteve)
- Civil Society Organization Registry
- FOIA Request/Response Logs — 2018–2021
- Albanian Constitution, Electoral Code, Deputy Status Law
- Budget expenditure tables, Reserve fund tables
- Parliamentary Annual Reports 2013–2019
- Organizational chart, Code of Conduct, Media accreditation rules
372 of 392 XLSX spreadsheets were downloaded (44 MB), 837 of 885 DOCX documents were recovered (73 MB), and 25 priority PDFs/DOCs were downloaded (20 MB). Total Parliament-related data collected: approximately 237 MB.
Internal Reference
The parlament.al React JS bundle contains a hardcoded internal API reference:
http://134.0.63.165:5000/publicThis is a private IP address unreachable from the public internet, confirming additional backend infrastructure beyond the Azure-hosted public API. The 134.0.x.x range is consistent with AKSHI’s own AS5576 network space (same range as e-albania.al at 134.0.39.39 and akshi.gov.al at 134.0.42.170).
Data Collected
| File | Size | Content |
|---|---|---|
| anetaret.json | 138 KB | 236 MPs full PII |
| anetaret_active.json | 81 KB | Active MPs only |
| strukturat.json | 274 KB | Parliamentary committees |
| aktet.json | 3.0 MB | Legislative acts |
| lajmet.json | 19 MB | News articles |
| mbledhjet.json | 2.1 MB | Meeting records |
| dokumentet.json | 29 MB | 54,545 document catalog URLs |
| youtube-search.json | 8.0 KB | YouTube proxy results |
| mp-email-list.txt | 24 KB | @parlament.al email directory |
| blob-docx-urls.txt | 141 KB | 885 DOCX blob URLs |
| blob-xlsx-urls.txt | 47 KB | 392 XLSX blob URLs |
| parlament-main.js | 355 KB | React bundle (API source) |
| parlament-vendor.js | 1015 KB | React vendor bundle |
| parlament-xlsx/ (372 files) | 44 MB | MP salary and benefit spreadsheets |
| parlament-docx/ (837 files) | 73 MB | Parliamentary Word documents |
| parlament-docs/ (25 files) | 20 MB | Priority PDFs and DOCs |
Impact Assessment
Immediate impact: Full PII dossier on every Albanian Member of Parliament — a complete target package for social engineering, phishing, physical security threats, or political intelligence operations. The email directory alone provides a verified contact list for all 236 MPs.
Document exposure: Salary and benefits records for MPs covering 2018–2020, lobbyist registry, and four years of FOIA logs represent significant institutional transparency data — some of which may have been intended as non-public.
Systemic concern: The Parliament API has been on Azure since at least January 2022 (based on document timestamps). This exposure has persisted for at least four years. The API endpoint URL is hardcoded in a publicly served JavaScript bundle — it has been trivially discoverable by anyone who examined the frontend source during that period.
Methodology note: All data was collected via unauthenticated HTTP GET requests to publicly accessible API endpoints and Azure Blob Storage URLs. No authentication was bypassed. No credentials were tested. No access controls were circumvented. The API responded to standard requests without requiring any form of identification, token, or session cookie.
Research date: February 25, 2026 — ODINT Albania Investigation, Phase 2