Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Code.org Flaw Exposes Volunteer Email Addresses

Code.org, a non-profit organization that helps students learn computer science, informed users over the weekend that a flaw on its website allowed unauthorized parties to access the email addresses of its volunteers.

Code.org, a non-profit organization that helps students learn computer science, informed users over the weekend that a flaw on its website allowed unauthorized parties to access the email addresses of its volunteers.

The organization learned of the vulnerability on Friday night after at least ten of its volunteers received unwanted job offers from a Singapore-based recruiting firm that had leveraged the “error” to obtain private email addresses.

After being contacted by Code.org for an explanation, the recruiting company appologized and promised to delete the collected email addresses and stop sending messages to the addresses it obtained by exploiting the bug.

“Based on [the recruiting firm’s] response, it’s possible the vulnerability may have had limited impact, but we can’t be sure,” Hadi Partovi, CEO of Code.org, wrote in a blog post. “Regardless, we’ve also inspected and secured the rest of our site from similar vulnerabilities.”

The vulnerability was quickly patched and Partovi pointed out that this was not a data breach, rather a mistake on their part that left volunteer email addresses “accessible via the web browser.”

The Code.org CEO said none of its servers were vulnerable, and the details of its 10 million teachers and students were not exposed at any time. Partovi also noted that the organization does not store the email addresses of students aged under 13.

In an email sent to affected individuals, Code.org said the incident was caused by a client-side vulnerability in its volunteer map. The email also revealed that location data was also exposed if it was provided to Code.org.

Related: Verizon Fixes Vulnerability Exposing User Email Accounts

Advertisement. Scroll to continue reading.

Related: Leaky Databases Expose 25 Million Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights