Security: email addresses of subscribers are public to all Write.as users

Today I recognized I can open the list of subscribers of other Write.as blogs (not just mine) and see all email addresses. Example:

h t t p s : / / write.as/me/c/ekenemoses/subscribers

I’m obviously not @ekenemoses and should not be able to see the email addresses of his subscribers. I should not have access to this page at all, just to mine subscribers.

EDIT: I got to the subscriber page via a Google search! So actually it is very easy to find all subscribers of all blogs at Write.as with a Google search and harvest the email addresses with a script.

2 Likes

Let’s ping @help

@matt
Seems to be an urgent privacy matter!
I can confirm this happens for any write.as user when logged in.
Email address and followers harvesting.
Anyone with a write.as account can harvest the subscribers and followers from any write.as blog by simply changing the username in the url.

1 Like

Oh wow! I thought I could see my subscribers because I’m already signed in with my phone and desktop. I think this puts subscribers at risk and they may opt to unsubscribe if they ever come across it on the internet. Thank you @McPringle for bringing this up.

@matt
Please block access to the subscribers and followers pages. This is a GDPR and privacy violation, I don’t want the write.as to have to close down due to a potential fine.
Can anyone please reach out to matt on the fediverse as well?

I sent an email to support@write.as.

Really sorry for this issue – it was fixed earlier this morning. Note that while it existed, only logged-in Write.as users were able to access these pages.

@McPringle, in the future you need to report security vulnerabilities to us privately, via normal support email, as others did. While this was indeed a severe issue, publicizing the information like this makes the situation more unsafe by encouraging others who didn’t previously know about it to exploit it.

3 Likes

Thank you for fixing @matt !

1 Like

You are right, I’m sorry. I wasn’t thinking about it, this was my first report of a security incident. Will do it better next time! :slight_smile:

No worries :slightly_smiling_face: Thanks again for reporting.