Remove personal info keys from apis [Security] #17
Stefanosapk
started this conversation in
Bugs reports
Replies: 1 comment
-
|
Acknowledged! We'll work on this on priority. Thanks for reporting here 🙏🏼 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Personal info keys such as email, etc.. is sensitive and never should be exposed.
An api that I identified that returns personal info is this: https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo?key
But needs to be removed and from anywhere else is exposed.
With any XSS vulnerability in the platform this can occur many issues to your users.
Beta Was this translation helpful? Give feedback.
All reactions