Today I recognized I can open the list of subscribers of other Write.as blogs (not just mine) and see all email addresses. Example:
h t t p s : / / write.as/me/c/ekenemoses/subscribers
I’m obviously not @ekenemoses and should not be able to see the email addresses of his subscribers. I should not have access to this page at all, just to mine subscribers.
EDIT: I got to the subscriber page via a Google search! So actually it is very easy to find all subscribers of all blogs at Write.as with a Google search and harvest the email addresses with a script.
@matt
Seems to be an urgent privacy matter!
I can confirm this happens for any write.as user when logged in.
Email address and followers harvesting.
Anyone with a write.as account can harvest the subscribers and followers from any write.as blog by simply changing the username in the url.
Oh wow! I thought I could see my subscribers because I’m already signed in with my phone and desktop. I think this puts subscribers at risk and they may opt to unsubscribe if they ever come across it on the internet. Thank you @McPringle for bringing this up.
@matt
Please block access to the subscribers and followers pages. This is a GDPR and privacy violation, I don’t want the write.as to have to close down due to a potential fine.
Can anyone please reach out to matt on the fediverse as well?
Really sorry for this issue – it was fixed earlier this morning. Note that while it existed, only logged-in Write.as users were able to access these pages.
@McPringle, in the future you need to report security vulnerabilities to us privately, via normal support email, as others did. While this was indeed a severe issue, publicizing the information like this makes the situation more unsafe by encouraging others who didn’t previously know about it to exploit it.
Thanks again for reporting.