[Security] Sensitive user information displayed api response requests
under review
Aiyumei Resident
The following values should be hidden or encrypted from the api requests as they impose security risk to users' data:
- user id is displayed in the body of the network requests when opening - this can be used for penetration of the backend or for sql injections to affect users' data.
- api body data on login with in-world code/the verified of the code and session tokens are visible in the responses - this information can be intercepted if the user is not using secure connection and used to hack their accounts.
Log In
Aiyumei Resident
I haven't tried to make any tests or attempts to gain access to any backend systems but I was able to successfully intercept the requests and see and acquire the session token for my login from a shared network environment. And since the platform doesn't appear to have cookie expiration nor session authentication this parameter can be hijacked and used to login in the person's account.
Such kind of data returned in the response is too exposed and imposes vulnerability risk. And since you have quite many features planned in the roadmap at some point users will begin to add even more of their information, that includes PII data.
Luke Rowley
under review
Did you find anything to do with the user id yet? Let me know, otherwise I don't see how exposing the user id is a security issue at the moment.