Email or username:

Password:

Forgot your password?
Top-level
Eugen Rochko

@stux If my understanding is correct, if you have an API token (which you can intercept from the app on your phone) you can use their search API to iterate over all users

5 comments
stux⚡

@Gargron Hmm, that "should be" restricted right? if then it would be indeed just a "simple download" lol

Eugen Rochko

@stux You could argue that there should be an upper limit of results returned by search and rate limits to slow down scraping of data but ultimately I don't see anything that would classify it as unauthorized access at all. All the information obtained is something you would see by visiting each user's profile.

stux⚡

@Gargron damn.. Still a big error from their side i think. It's indeed public info but now it's in such a way easy searchable and packed for attackers so to say :ablobwink:

I don't mind if my email is "leaked" as is but when more info is added i get more and more spooked

Григорий Клюшников

Eugen, the API has been completely reverse engineered, long ago. Enough to log in from scratch, you don't even need to extract the token form the actual app. Yes, they do ban accounts that exhibit unusual behavior or make too many requests over short time periods. For that matter, they banned some of the accounts made through that Android app of mine.

Yes it's public stuff and public stuff only. I don't see why it's worthy of any excitement.

b! 🔮

@Gargron @stux

youtube.com/watch?v=CgJudU_jlZ

So sth like the Moonpig 2015 situation but with relatively benign, technically public data?

Or like the situation on Discord a while back, also with technically public data?

Go Up