Flaw In The Code.org Exposes Volunteer Email Addresses
Code.org is an organization where students learn computer science. This weekend on their website they found a flaw by which unauthorized parties can easily get access to the email addresses of its volunteers.
On Friday, they came to know about this flaw, because many of their volunteers received an unwanted job email messages. All the job messages were for the Singapore-based recruiting firm that had leveraged the “error” to obtain private email addresses.
The recruiting company apologized to Code.org and promised them that they delete all the collected email addresses. They also ensure to stop sending messages to the addresses it obtained by exploiting the bug.
CEO of Code.org (Hadi Partovi) wrote in his blog post that
“Based on [the recruiting firm’s] response, it’s possible the vulnerability may have had limited impact, but we can’t be sure, Regardless, we’ve also inspected and secured the rest of our site from similar vulnerabilities. The vulnerability was quickly patched and Partovi pointed out that this was not a data breach, rather a mistake on their part that left volunteer email addresses accessible via the web browser.”
According to the Code.org CEO, neither the details of their 10 million teachers and students were revealed, nor the servers are vulnerable and those students who are under the age of 13, their email addresses were also not stored by the organization. The client-side vulnerability was the major reason behind this incident, and the email revealed the location data.
Partovi ensures to the users that this kind of incident will never happen in the future.