Change.org springs a leak, exposes private e-mail addresses

Online petitions service Change.org has a website bug that's disclosing as many as 40,000 e-mail addresses that presumably belong to current or former subscribers. The disclosure bug was active at the time this post was being prepared and is exploitable using the search box provided on the site or via Google or Bing. The number of results returned ranged from 40,000 to 65,000, although not every result included an e-mail address.

The leak appears to be the result of Change.org Web links that contain valid GET request tokens used to validate users after they have successfully entered their password. A bug appears to be adding the tokens automatically, even when the viewer hasn't been authenticated. The linked pages display users' entire e-mail address. A separate link shows all the petitions signed by the e-mail users, but trying to click through to profile or settings leads to a login screen.