Online Petitions Service, Change.org, has a Website Bug that's Disclosing Email Addresses that Presumably Belong to Current or Former Subscribers. Search Results Suggest the Number could be Thousands but, a Change.org Official Said, it was about 100. The Disclosure Bug was Active at the Time this Post was Being Prepared and is Exploitable Using the Search Box Provided on the Site or via Google or Bing. The Number of Results Returned Ranged from 40,000 to 65,000, although Not Every Result included an Email Address. Still, a Large Number of them Returned Pages like the One Above, which »XoZZeN« has Redacted Out of Fairness to the Affected Email User. The Leak Appears to be the Result of Change.org Web Links that, Contain Valid GET Request Tokens Used to Validate Users after they Have Successfully Entered their Password. A Bug Appears to be Adding the Tokens Automatically, even When the Viewer Hasn't been Authenticated.
The Following Screenshot Shows a Portion of the Token in the Address Bar:
The Linked Pages Display Users' entire Email Address. A Separate Link Shows All the Petitions Signed by the Email Users but, Trying to Click through to Profile or Settings, Leads to a Login Screen. The Leak was the Topic of a Discussion on Twitter Early Friday Morning. The Topic was Started by Someone Who Stumbled on the Bug When Trying to Unsubscribe from a Change.org Email List. Change.org Global Communications Director, John Coventry, Told the Organization Became Aware of the Bug at 6 a.m. PDT. He Said that, Website Administrators Have Disabled the Search Function and Have Asked Search Engines to Remove the Offending Results while Engineers Investigate and Fix the Underlying Problem. An Hour after this Post Went Live, however, the Change.org Search Feature Continued to Return Results Showing Email Addresses.
**UPDATE**
Change.org Officials Said the Total Number of Exposed Email Addresses was 100. They also Provided the Following Statement:
"Our investigation showed that the users whose email addresses were exposed had pasted emails they had received from Change.org into public web pages. Google then indexed the unsubscribe link at the end of those emails. Those links contain the user's email address to make it easy as possible to unsubscribe, and that's how those email addresses appeared on the site. Previously, we were not preventing search engines from including those pages, but our engineering team is working on preventing that right now. They are also clearing the email addresses that have been indexed already, however this involves working with other search engines, which can take about 24 hours."
0 comentários:
Enviar um comentário