Online petitions service Change.org has a website bug that's disclosing e-mail addresses that presumably belong to current or former subscribers. Search results suggest the number could be thousands, but a Change.org official said it was about 100.

The disclosure bug was active at the time this post was being prepared and is exploitable using the search box provided on the site or via Google or Bing. The number of results returned ranged from 40,000 to 65,000, although not every result included an e-mail address. Still, a large number of them returned pages like the one above, which Ars has redacted out of fairness to the affected e-mail user.

The leak appears to be the result of Change.org Web links that contain valid GET request tokens used to validate users after they have successfully entered their password. A bug appears to be adding the tokens automatically, even when the viewer hasn't been authenticated. The following screenshot shows a portion of the token in the address bar:

The linked pages display users' entire e-mail address. A separate link shows all the petitions signed by the e-mail users, but trying to click through to profile or settings leads to a login screen.

The leak was the topic of a discussion on Twitter early Friday morning. The topic was started by someone who stumbled on the bug when trying to unsubscribe from a Change.org e-mail list. Change.org Global Communications Director John Coventry told Ars the organization became aware of the bug at 6am PDT. He said that website administrators have disabled the search function and have asked search engines to remove the offending results while engineers investigate and fix the underlying problem. An hour after this post went live, however, the Change.org search feature continued to return results showing e-mail addresses.

Update: Change.org officials said the total number of exposed e-mail addresses was 100. They also provided the following statement: