Change.org springs a leak, exposes private e-mail addresses

0
225

Online petitions service Change.org has a website bug that’s disclosing as many as 40,000 e-mail addresses that presumably belong to current or former subscribers. The disclosure bug was active at the time this post was being prepared and is exploitable using the search box provided on the site or via Google or Bing. The number of results returned ranged from 40,000 to 65,000, although not every result included an e-mail address. Still, a large number of them returned pages like the one above, which Ars has redacted out of fairness to the affected e-mail user. The leak appears to be the result of Change.org Web links that contain valid GET request tokens used to validate users after they have successfully entered their password. A bug appears to be adding the tokens automatically, even when the viewer hasn’t been authenticated. The following screenshot shows a portion of the token in the address bar: Read 2 remaining paragraphs | Comments

See the original article here:
Change.org springs a leak, exposes private e-mail addresses

LEAVE A REPLY

Please enter your comment!
Please enter your name here

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.