Huge security risk!


<Below this line, add a link to the EXACT exercise that you are stuck at. The query string (? and beyond) may be truncated.>
This works on any python exercise and makes use of the python interpreter

<In what way does your code behave incorrectly? Include ALL error messages.>
I was able to view files and folders on the codecademy system that I do not think I should be able to. This included useruid’s and unless this is a well disguised test playground I think that this is a security bug that allows viewing of files that should not be allowed.

This may also be usable to delete critical files related to users environments and details although I haven’t tried this since I don’t want to cause damage.
<What do you expect to happen instead?>
I am unwilling to divulge the exact method I used to accomplish this in case someone else uses it for a more sinister reason before codeacademeny staff find out. If you are unable to figure out how to do this I will be more than happy to show you if you contact me in person.

I wanted to divulge this is a more private way but was unable to find any codecademy contact information so this is the best I could do.

Thank you for reporting this, better safe than sorry. To followup for those interested:

Your environment is self-contained. Feel free to play around, but you may end up corrupting your specific environment.

1 Like