We found a serious privacy vulnerability very quickly with the mobile app: all API endpoints were unauthenticated using only a long-ish “memberCode” to make requests. The memberCode itself is somewhat deterministic and is based on the date a user signed up for the service, however we found an even easier way using a shorter “friend code”.
A request with this six digit “friend” code returned a huge amount of information about that user, including very sensitive information such as their name, phone number, birthday, the exact co-ordinates where the app was opened, their longer “memberCode” value, and the user’s plaintext password (not that we need it).
It wouldn’t take an attacker more than a couple of days to exfiltrate the entire user database and use it for blackmail or phishing.
Écrire dans un français correct et lisible : ni phonétique, ni style SMS. Le warez et les incitations au piratage sont interdits. La pornographie est interdite. Le racisme et les incitations au racisme sont interdits. L'agressivité envers d'autres membres, les menaces, le dénigrement systématique sont interdits. Éviter les messages inutiles