Rant: Found out my code was exposing user emails for 6 months

I was digging through my server logs last night and discovered a stat that floored me - my first web app had been leaking user emails in the API responses since launch. A buddy who does pentesting in Austin pointed it out during a casual code review. Turns out I forgot to strip the email field from the JSON output on the user profile endpoint. 47 people had signed up in that time. Has anyone else found a scary bug like this way after the fact?

2 comments

2 Comments

ivanb412d ago

Tack on another 30 or so that signed up but never used the app again after the first login. They probably bounced because they noticed their email was sitting there in plain text. I found a similar bug in a side project where I was accidentally logging full passwords in plaintext to a debug file. Never published that one but it still made me paranoid about every line of code I push now.

sean_martin442d ago

Honestly think you might be mixing up plaintext and cleartext here. Plaintext is more about unencrypted data sitting in a database, while cleartext just means readable without decryption. Still a brutal bug to catch though, that logging mistake would have kept me up at night too.