URGENT SECURITY PSA: Stop Using GlobalCitizen.Org – Your Data Is Leaking

I’m a huge supporter of volunteer work and charities around the world. One major inspiration has been Bill Gates who recently came out supporting a site called GlobalCitizen.org.

Naturally, I signed up on January 23rd 2015 to show my support and help out in any way I could. The organization sports an impressive list of partners and seems to be serious enough.

However, I couldn’t. Or rather, I could, but when I logged in, I got the detailed information, including access to reward points for supporting the organization, for someone completely different. I have no idea why, but I was now logged in as a person was called Anuj K of India, born September 17, 1975.

23-01-2015 00-29-14

23-01-2015 00-31-00

Now, this is a very serious thing, both because of the breach of privacy but also because the points volunteers earn are redeemable for real-life goods and services.

The first thing I did was email the group and inform them.

13-03-2015 17-09-16

I’ve blurred out the description of the ‘exploit’ (although it really isn’t).

Several days later, I got a response stating that my inquiry had been forwarded. However, checking a week later, the issue was still present, but now I got logged in as yet another person rather than myself.

13-03-2015 17-10-28

Here comes the shocking bit. I was told that they were aware of the issue and that others had reported the same thing. However, they didn’t do anything to fix it. I offered to help them because I’ve built a number of systems like these myself and could probably get it reviewed quickly, but I got no response.

13-03-2015 17-13-25

I then forgot about it until a few days ago, assuming that they had it under control. But, lo and behold, I logged in, got a clearly faked profile of Arnold Schwarzenegger and today the profile of someone called Rhonda.

08-03-2015 12-40-04

13-03-2015 16-58-59

I should reiterate that I have full access to these people’s profiles, including it seems spending of their reward points (although I haven’t tried completing a transaction, for obvious reasons).

I can no longer keep mum when the organization after one and a half month has clearly neglected securing their users from privacy breaches and loss of reward points. I’ve urged them to close logins and signups until they fix the issue, but clearly they do not care enough.

Which is sad, but the short of it is: Do not under any circumstance log in to GlobalCitizen.org as your information will be leaked to the public, your rewards will be forfeit, and your profile is very likely to be misused.

Found this article valuable? Want to show your appreciation? Here are some options:

a) Click on the banners anywhere on the site to visit my blog's sponsors. They are all hand-picked and are selected based on providing great products and services to the SharePoint community.

b) Donate Bitcoins! I love Bitcoins, and you can donate if you'd like by clicking the button below.

c) Spread the word! Below, you should find links to sharing this article on your favorite social media sites. I'm an attention junkie, so sharing is caring in my book!

Pin It

Published by

Bjørn Furuknap

I previously did SharePoint. These days, I try new things to see where I can find the passion. If you have great ideas, cool projects, or is in general an awesome person, get in touch and we might find out together.

Leave a Reply

Your email address will not be published.