Non-Public data returned in API calls

Thread starter Kirby
Start date Nov 8, 2023

Kirby

Well-known member

Nov 8, 2023

Affected version: 2.2.13

A custom user field can be defined as

Not being editable by the user
Not being shown on pofile pages
Not being shown in message user info
Not being required

The general perception here is that such a field is "private", eg. can only be seen / modified by Moderators or Administrators.

Yet such fields are returned in API calls like me if the API key has scope user:read.

This could be a security issue, at least it is unexpected.

Suggested Fix
Do not return information in API calls (including but not limited to me) that is otherwise not normally accessible by the user (Preferred)
or
Explicitly document such behaviour

Last edited: Nov 8, 2023

Similar threads

Not a bug Facebook returned the following error: API calls from the server require an appsecret_proof ar

Replies: 6

Views: 2K

Feb 7, 2016

Chris D

Facebook X Bluesky LinkedIn Reddit Pinterest Tumblr WhatsApp Email Link

We value your privacy

We use essential cookies to make this site work, and optional cookies to enhance your experience.

See further information and configure your preferences

Accept all cookies Reject optional cookies
Essential cookies

These cookies are required to enable core functionality such as security, network management, and accessibility. You may not reject these.

Optional cookies

We deliver enhanced functionality for your browsing experience by setting these cookies. If you reject them, enhanced functionality will be unavailable.

Third-party cookies

Cookies set by third parties may be required to power functionality in conjunction with various service providers for security, analytics, performance or advertising purposes.

Detailed cookie usage

Privacy policy

Back

Top Bottom

Non-Public data returned in API calls

Kirby

Well-known member

Similar threads

We value your privacy