Change.org springs a leak, exposes private e-mail addresses [updated]

Earlier this week, Dan Goodin reported:

Online petitions service Change.org has a website bug that’s disclosing e-mail addresses that presumably belong to current or former subscribers. Search results suggest the number could be thousands, but a Change.org official said it was about 100.

The disclosure bug was active at the time this post was being prepared and is exploitable using the search box provided on the site or via Google or Bing. The number of results returned ranged from 40,000 to 65,000, although not every result included an e-mail address. Still, a large number of them returned pages like the one above, which Ars has redacted out of fairness to the affected e-mail user.

Read more on Ars Technica.

About the author: Dissent