Holy crap, the exposed JSON is indeed potentially a security issue, even though most of the contents are innocuous. I could write a scraper in Python in about 15 minutes that would harvest every user profile on the site. Granted, since most of it is public info, that would be generally harmless. But if it’s not on by design, it should be turned off.

I notice that it includes my email address in the body if I’m looking at my own JSON, but not when looking at someone else’s. Can you confirm this is the case for yourself as well? If not, then it is a real security hole and needs to be escalated for resolution.

I can see my email address when viewing my own JSON, but not when viewing someone else’s, so that’s good. Or at least not as bad.

Agreed, thanks!

It’s probably the same API endpoint that shows both your own profile details and those of others. That’s what answeres your request when you look at someone else’s profile page on the forum. I doubt it’s a security problem.

That makes sense, and would explain why the email address is hidden, along with time zone and a few other sensitive items.

It’s still unusual to make a raw data endpoint publicly visible like that, though at least there is some intelligent filtering of the JSON based on the requestor agent. I’m guessing it might be public to facilitate people writing Discourse plug-ins that do stuff with user info.

I’m glad to see that the JSON isn’t returned at all if you don’t have an account and aren’t logged in. That should stop most robot crawlers at least.

Speaking of escalation…
Has anyone reported these issues to the “proper authorities” yet?..
Is there a channel to report site hiccups other than, perhaps invoking the admin’s names?

@ivan
@Lesley
@spookysquirrel

Howdy folks! Thanks so much for all this useful research – we are very focused on getting reward surveys out over the next few days but I will be sure to communicate this issue to the folks who have more expertise on it than myself.

Yup I’m getting this error trying to update my birthday / profile via the mobile app. It’s still very much a thing

“No more birthdays.”

Icebreaker1280×720 176 KB

Least it gives us something to do til the new season starts .

Yeh happening on android here as well (Samsung S10)
Can’t update Instagram handle or birthday

i believe the fix is to upgrade from tshirt to hoodie. no, no, that is all lies. but wouldve been funny and profitable if ivan posted it for an hour for real tho, it will be fixed in the not too distant future. just not now

I tried the hoodie upgrade fix - no go - but I do like the hoodie

dont listen to me!! im essentially crow, tunneling outta the SOL, singing ‘its a long way to tipperary’ even tho ironically, its about 10 miles from where i live. “breach hull, all die. even had it underlined.”

I’ve tried a couple browsers and my phone. (Chrome x2, Edge, Firefox) all getting the Internal Server Error message. Much sadness.

I bet you could do it in 5 mins, with 2 likes of code with Python. Lol

I’m taking a closer look at the JSON file mentioned a few dozen posts ago and I see it includes a “user_id” value, which appears to be the system’s auto-incremented value for each user, similar to our unique backer number on Kickstarter. Adjust this URL to find yours:

https://forums.mst3k.com/u/your_username_here.json

I can find my value and anyone else’s. Ivan’s #1, Lesley’s #2 and I’m … #123. Neat!

User #494. Tarde venientibus ossa.

Looks like I’m #64. I must have checked my email just after Lesley posted the invite.