Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code.org Hacked, Emails and Locations Data of Volunteers Compromised

Posted by msmash on from the never-ending-stream-of-hacks dept.

An anonymous reader allegedly quoting an email from Code.org, claims that the database of the non-profit organization has been breached: Some personal data was accessed on our web site by a firm exploiting a client-side vulnerability. Your email address and your location, if you provided it, were compromised and may have been read. The exploit was limited to engineers and others who volunteered to help in classrooms. No student or teacher accounts were impacted, nor passwords or additional information. The exploit did not give hackers access to any of our servers. Earlier this week, a volunteer engineer told us he received an unsolicited recruiting email from a technical freelancing firm in Singapore. We determined the firm was able to retrieve the volunteer's private email address by exploiting a client-side vulnerability on our volunteer map. We've since had 6 similar cases reported. We've fixed the problem, and all private data was secured against future attacks late Friday. We also inspected and secured the rest of our site from similar vulnerabilities. Code.org has confirmed to Slashdot that it has indeed suffered a breach. The non-profit separately wrote in a blog post that a Singapore-based recruiting firm had exploited a vulnerability on its website to send emails to Code.org members. Following is an email sent by the recruiting firm to Hadi Partovi, CEO, Code.org. "Sorry about this... our intention was we thought it'd be good to get them more opportunities to improve their own Computer Science skills beyond the opportunities available in their geographical boundaries / location. We've told our team to stop this with immediate effect. No one should be receiving anymore e-mails from us from this point onwards. You have my word that we will delete their email addresses from our mailing lists. They should not receive anymore emails from us."

33 comments

  1. Re:Would Rust have prevented this? by Anonymous Coward · · Score: 0

    Unlike many programming languages, Rust never sleeps. I think someone proposed a sleep() function but he was given a Torvalds-style tongue lashing on the mailing list.

  2. Real World by Anonymous Coward · · Score: 1

    Maybe this could be one of the assignments to solve.

    Oh wait, that would actually be complex and require actual thinking skills instead of copying hell world examples and calling yourself a "coder"

    1. Re:Real World by Anonymous Coward · · Score: 2, Funny

      Whenever I try to code hell world, my code crashes and burns :(.

    2. Re:Real World by Anonymous Coward · · Score: 0

      > Whenever I try to code hell world, my code crashes and burns :(.

      Hey, maybe that's how Doom started when JC was learning to code! :)

      Now, more on-topic, think for a minute how strategic that knowledge is. Maybe it's time to do a 180 (that's degrees in case /. swallows it) and promote the use of pseudonyms instead of forcing registering with real names.

      I think knowing those who can code is a valuable asset, fit for a multitude of actions -- not all good for the coders, for the F/OSS community and for society as a whole. We should beware, IMHO.

    3. Re:Real World by Anonymous Coward · · Score: 0

      Maybe it's time to do a 180 (that's degrees in case /. swallows it) and promote the use of pseudonyms instead of forcing registering with real names.

      You just have to defeat the government, Facebook and Google. Even if you had a few billions available for the propaganda it would be a very difficult sale.

    4. Re:Real World by Anonymous Coward · · Score: 0

      > You just have to defeat the government, Facebook and Google.

      I don't want to defeat them. I just said I support some level of surveillance as necessary; I'm just pointing out that what they want may leave everyone more vulnerable.

      Do they want American coders more vulnerable? (I'm not American, BTW) -- There is an ancient Greek saying (IIRC), which goes like "Beware of what you want, because you might get it."

    5. Re:Real World by Anonymous Coward · · Score: 0

      Not really.
      You just need to not use those.

      Or, alternatively, prevent you from using your real name when registering on other sites and only keeping your identity on social sites.
      That could make a good extension / program.

  3. by exploiting a client-side vulnerability by Anonymous Coward · · Score: 0

    by exploiting a client-side vulnerability

    A what?

    1. Re:by exploiting a client-side vulnerability by phantomfive · · Score: 0

      I think it's a polite way of saying that one of their managers fell for a Nigerian 411 scheme and ended up forwarding the entire mailing list to a foreign country in exchange for a seance with the prince of Muganagaba.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:by exploiting a client-side vulnerability by Anonymous Coward · · Score: 0

      Nah, I'm still going with "not using prepared statements". Building SQL statements by concatenating strings is like a siren song to naive developers. It just feels so cool to build command lines piece by piece.

  4. put it on the internet by turkeydance · · Score: 1

    put it out there. for everyone.

  5. Jail Time by Anonymous Coward · · Score: 0

    What makes me think that Hadi Partovi, CEO, will get nothing more than a slap on the wrist for having such lax security on his site.

    We should demand nothing short of hard jail time, but I can only dream...

    1. Re:Jail Time by manquer · · Score: 1

      under what law?

    2. Re:Jail Time by cheater512 · · Score: 1

      Negligence? Privacy violations.

  6. Just click on the link by John+Bokma · · Score: 3

    to unsubscribe and we will remove you within 24 hours, honestly!

    --

    Perl Programmer for hire
  7. Re:Would Rust have prevented this? by Guy+Harris · · Score: 0

    Unlike many programming languages, Rust never sleeps. I think someone proposed a sleep() function but he was given a Torvalds-style tongue lashing on the mailing list.

    Bear in mind that there's more to the picture than meets the eye.

    (But what does that have to do with Country Life butter?)

  8. One Weird Trick to Hack Any Web Site by BinBoy · · Score: 3, Interesting

    This wasn’t a case of hackers breaching our security systems, rather it was our mistake of leaving volunteer email addresses accessible via the web browser.

    In other words, someone used the "View Source" command?

    1. Re:One Weird Trick to Hack Any Web Site by Anonymous Coward · · Score: 0

      They talk about a map, so probably some XML file with all the data, being referenced in the source, which someone probably thought "no one would bother to read, as we're not a big and interesting target"...

  9. Good. Fight the man-hate by Anonymous Coward · · Score: 0

    Code.org pay teachers not to teach boys. That is disgusting sexism. I hope this hurts them.

  10. Name the spammer by Antique+Geekmeister · · Score: 2

    Can anyone here identify the spamming company? It's difficult to judge the validity of the recruiter's apology of we don't know who it was.

    1. Re:Name the spammer by Anonymous Coward · · Score: 0

      The name of the perpetrator is confidential because of possible litigation. Post your email address here and we'll send it to you.

    2. Re:Name the spammer by Anonymous Coward · · Score: 0

      Can anyone here identify the spamming company?

      And if we can, will somebody please add them to the drone list? Thank you.

  11. Couldn't happen to a more irrelevant bunch by drinkypoo · · Score: 2

    Code.org, code.org... oh yeah, isn't that the wankfest that taught Obama how to write an if...then statement? The guys who want us to get new top hats even though our coat tails are on fire? Education is already totally boned and they want kids who can't read or write to learn how to code. They can't secure their site? I am Jack's total lack of surprise.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Couldn't happen to a more irrelevant bunch by Anonymous Coward · · Score: 0

      Education is already totally boned and they want kids who can't read or write to learn how to code.

      There are two main reasons for that. First, many of the parents are dumber than a sack of hammers themselves and never should have had kids in the first place. Second, the teaching profession and teachers are so full of politically correct bullshit that they can no longer do their job which is to educate children. The portion of the children who escape from this hellish system are the really brilliant and tough ones, the sort that would have succeeded in any case and did so in spite of the American education system and not because of it. Although, even these kids do not come away entirely unscathed. At least some of them have failed to reach their maximum potential due to all of the mindless teaching methods and endless distractions coming from their positively primitive classmates, the ones who grow up to be felons or fast food workers. None of this will change, in my opinion, unless or until Americans are prepared to admit that, in fact, not all kids are equal or deserve the same opportunities all the way through their schooling. This is especially true if we're going to start providing free college education, which I support. Society must not waste resources sending people with IQs of less than 100 to college. Create a suitable education path for those people, but college isn't it.

  12. dear slashdot, by Anonymous Coward · · Score: 0

    could you slap a keyword on every article about somebody getting hacked, with money or data being stolen, ransomed, etc? i'd like to find all of these with a simple filter.

  13. Re:Would Rust have prevented this? by Bengie · · Score: 1

    Who needs sleep when you can spin? CPU time is cheap. This works really great on single core systems.

  14. Re:Would Rust have prevented this? by FatdogHaiku · · Score: 1

    For "a client-side vulnerability" to work, the data (the email address and if available the location) had to be served to the volunteer map from the server, right?
    It just makes me wonder if the "client-side vulnerability" was something super tricky like "View Page Source"...

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office