Code.org hole gave access to volunteers' email addresses
This couldn't happen to your kid who did the Hour of Code, promises CEO
Code.org, the not-for-profit attempting to teach the world to code in perfect harmony, has 'fessed up to a flaw on its site that exposed volunteers' email addresses.
“On Friday night we discovered and fixed an error in the Code.org site that allowed access to our volunteer email addresses,” writes CEO Hadi Partovi.
“This wasn’t a case of hackers breaching our security systems,” Partovi writes, “rather it was our mistake of leaving volunteer email addresses accessible via the web browser.”
The organisation learned of the hole when some of its volunteers started receiving emails offering them jobs. Those offers were sent by “a technical recruiting firm in Singapore” and volunteers wondered how the company had found their addresses.
The recruiting company says it won't do it again and has promised to delete the email addresses it harvested.
“Based on this response, it’s possible the vulnerability may have had limited impact, but we can’t be sure,” Partovi adds. “Regardless, we’ve also inspected and secured the rest of our site from similar vulnerabilities.”
One small upside is that the organisation says it doesn't store email addresses for kids under 13, the target market for the Hour of Code. So there's nothing there for hackers or recruiters to find.
Partovi promises to make sure this kind of thing will never happen again. Perhaps if it spends more than an hour on its code, it might even succeed. ®