Bug at Change.org exposed email addresses
A bug at Change.org revealed email addresses of current and former subscribers and, in some cases, the petitions they signed, before it was repaired on Friday.
The flaw became the subject of chatter on social media as site engineers worked to fix the problem at the end of last week.
Change.org allows users to petition governments and companies to act on specific issues, and plays a role from time to time in D.C. policy debates.
{mosads}The disclosure bug could be accessed through the website’s search bar or through search engines like Google. It produced pages that list a private email address as if the user was seeking to unsubscribe from Change.org emails.
Officials with the organization said only 100 emails were exposed, though some security experts noted that the number of results returned appeared much higher than that.
As engineers worked to fix the problem on the back end, some of the exposed email addresses remained visible through a Google search. Clicking on the links directed users to a log-in page.
A user anonymity problem could present challenges for Change.org, which requires an email address and a street address when users sign a petition but not necessarily a full name.
The site released a statement, reported by Ars Technica, on Friday.
“Our investigation showed that the users whose email addresses were exposed had pasted emails they had received from Change.org into public web pages. Google then indexed the unsubscribe link at the end of those emails. Those links contain the user’s email address to make it easy as possible to unsubscribe, and that’s how those email addresses appeared on the site,” the site said.
“Previously, we were not preventing search engines from including those pages, but our engineering team is working on preventing that right now. They are also clearing the email addresses that have been indexed already, however this involves working with other search engines, which can take about 24 hours.”
As of Friday, Change.org had roughly 94.5 million people involved in its petitions, according to a tally on the homepage.
One popular campaign, which has received 645,278 signatures, urges Wal-Mart to improve conditions for pigs via their pork suppliers.
Petitions to address sexual assault in Turkey and reinstate Jeremy Clarkson as the host of BBC’s “Top Gear” each have more than one million signatures.
—This post has been updated.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.