Privacy Concerns about the API and its use by unauthenticated and unauthorized users

Handle problems or report system bug
Post Reply
User avatar
francisco
Posts: 62
Joined: Tue Mar 07, 2023 1:48 pm
Location: Brazil
Contact:

Privacy Concerns about the API and its use by unauthenticated and unauthorized users

Post by francisco »

I know data privacy concerns are not the best skill of Wapka and its users (take as an example the way some admins simply publicly list all user data including IP and email,) but having an API accessible by anyone via a trivial token and making it possible to access such information directly is a big data security issue.
At the moment I am more concerned with how IP and email of users appear without any filter in the UserInfo method, as I consider this to be extremely personal data and the user should have the option to make it public or not.

For example, I can simply go to

Code: Select all

https://forum.wapka.co/?WAPKA_SITE_API_TOKEN
and then copy the token and go to

Code: Select all

https://api.wapka.org/UserInfo?apikey=<token>limit=10000
and get all the emails and IPs of the users of the site, without the need for me to be admin, be logged in, or even have privileged access to the site. This is a pot of gold for spammers and data miners.


This needs to be addressed as soon as possible. My recommendations:
  • Immediately remove the IP and email data from the API listing;
  • Create a way that only site admins can access this information. This can be done by checking if the token used corresponds to an admin who is logged in;
  • For the token of properly logged in users, the IP and email information should be shown only for their respective entry in the listing;
  • Consider what information other than IP and email may be subject to this precaution.

I know this may sound like I am overreacting, but if Wapka is to become a reliable hosting service this kind of concern must be taken into account.

Best regards.
😴
Administrator
Site Admin
Posts: 34
Joined: Tue Mar 07, 2023 7:56 am

Re: Privacy Concerns about the API and its use by unauthenticated and unauthorized users

Post by Administrator »

As currently api is on testing mode that's why api is auto enabled. Soon User will be able to control API functions.
Post Reply