Huge security risk!

not-a-bug

#1



This works on any python exercise and makes use of the python interpreter


I was able to view files and folders on the codecademy system that I do not think I should be able to. This included useruid's and unless this is a well disguised test playground I think that this is a security bug that allows viewing of files that should not be allowed.

This may also be usable to delete critical files related to users environments and details although I haven't tried this since I don't want to cause damage.

I am unwilling to divulge the exact method I used to accomplish this in case someone else uses it for a more sinister reason before codeacademeny staff find out. If you are unable to figure out how to do this I will be more than happy to show you if you contact me in person.

I wanted to divulge this is a more private way but was unable to find any codecademy contact information so this is the best I could do.


#2

Thank you for reporting this, better safe than sorry. To followup for those interested:

Your environment is self-contained. Feel free to play around, but you may end up corrupting your specific environment.