springs a leak, exposes private e-mail addresses

Online petitions service has a website bug that's disclosing as many as 40,000 e-mail addresses that presumably belong to current or former subscribers.

The disclosure bug was active at the time this post was being prepared and is exploitable using the search box provided on the site or via Google or Bing. The number of results returned ranged from 40,000 to 65,000, although not every result included an e-mail address. Still, a large number of them returned pages like the one above, which Ars has redacted out of fairness to the affected e-mail user.

The leak appears to be the result of Web links that contain valid GET request tokens used to validate users after they have successfully entered their password. A bug appears to be adding the tokens automatically, even when the viewer hasn't been authenticated. The following screenshot shows a portion of the token in the address bar:

Read 2 remaining paragraphs | Comments