Hieu Nguyen — March 21, 2021
A mistake that sends sensitive data to the public. With the possibility of compromising users' social account
It’s one of the silliest mistakes you can make. But who knows. When you get busy, things can happen.
A few days ago, I was on this page — a social platform, with 20M users. Wandering on a user profile, then I opened his followers page. Must have been switching between debugging my website, out of curiosity, I had a look at a XHR data request on their website.
And baam, the request contains a list of users, with personal information. Also the access tokens from their social platform accounts.
With those access tokens, hackers use them to gain control over social accounts. I guess a large portion of those tokens is still valid. Besides, personal data with contact are valuable. Many companies want them for cold calls/emails, risking users’ privacy.
For 20 millions users, this issue is serious.
There is not a good explanation for this mistake. The tokens doesn’t look fake. Maybe, their team built the API for convenience, without being careful enough.
You can prevent this mistake by following Principle of least privilege. Which limiting permission for users to perform any action, only allow what they have to, no more. And besides:
P/s: I've contacted the team to fix the issue mentioned above. A friendly reminder to check double your API with sensitive data. We’re all busy, mistakes can happen.
Share this post
I'm a developer, hobbyist photographer. Building Inverr — a NoCode Site Builder