Privacy issue disclosure (mitigated)

2022-09-28 | @andrea

Users' cards are public – that's the whole point of them. But it's its owner's choice not only what exactly to put in their card, but also whom and how to send a link to it. Links to the cards are not secret, and they're obviously meant to be shared – but we've decided not to list them anywhere on our site (other than internally in the admin panel) and to ask crawlers via the robots.txt file not to index those subpages.

Recently, when we moved our traffic analytics from Matomo to Plausible, I decided to take advantage of its feature to publish the traffic overview page. It's meant to increase transparency (you can check for yourself what data we store – that they're anonymised and high-level), to support a cool public-source project by showing what tools we use, and to brag a bit and show what kinds of traffic is the server dealing with.

Unfortunately, what I didn't notice is that in the “top pages” section it would also show some card links, if they were visited often enough. Big kudos to @tecc, who not only noticed it, but also implemented a solution and retroactively redacted that information in Plausible's database. Now every request to /@anything… will be counted as /@--redacted--.

Note: this does not mean any private data or passwords were leaked (we store just a minimal set of data anyway, and we don't even store passwords). It's just about listing public some data that we didn't intend to list.

We doubt whether this issue had actually been abused for any nefarious purposes, but we thought we'd let you know just in case. Of course, by their very nature, links to various cards have always been present all around the web, as they're meant to be shared – and once the owner of a card shares their link with anyone, that person can just pass it on. And of course one can always find some valid cards by simply guessing usernames. But for the sake of people who prefer keeping their links more private, we had decided not to list the usernames anywhere. This instance of publishing a limited list of some usernames was not intentional, and we apologise. If keeping usernames unlisted is important to you, we recommend simply changing your username.

React:

Share: