Summary
The frontend sends page-view, click, and unload telemetry to /log-activity on every session, but no backend entrypoint implements that route.
Evidence
https://github.com/h9zdev/WireTapper/blob/main/templates/wifi-search.html#L23-L66 defines sendActivity() and posts interaction data to /log-activity.- The same block uses
navigator.sendBeacon('/log-activity', ...) on unload.
- No matching
/log-activity handler exists in app.py or app-env.py; the route appears only in the template.
Why this matters
- Every page view and user interaction triggers blind network calls to an endpoint that does not exist.
- This creates noisy failing traffic, dead telemetry, and a false impression that operator activity is being recorded.
- The code also reads
username from client cookies and treats it as telemetry identity, which is meaningless if the logging path is absent.
Attack or failure scenario
An operator assumes the interface records usage or audit activity because the page visibly wires a telemetry path. In reality, every interaction posts into a dead endpoint, so no record exists when an incident or dispute needs reconstruction.
Root cause
Client-side telemetry was added without shipping the server-side collection path or validating route parity.
Recommended fix
- Remove the dead telemetry calls until a backend contract exists.
- If activity logging is required, implement the route server-side with authenticated identity and explicit retention rules.
- Add frontend/backend contract checks so missing routes fail in development.
Acceptance criteria
- The page no longer emits telemetry to nonexistent endpoints.
- Any future activity logging has a real backend handler and documented identity source.
- Route parity checks catch missing telemetry handlers before release.
Suggested labels
- bug
- observability
- architecture
- production-readiness
Priority
P1 (High)
Severity
High — the application emits constant dead telemetry and presents nonexistent auditability as if it were real.
Confidence
Confirmed — the template emits /log-activity requests and the backend defines no corresponding route.
Summary
The frontend sends page-view, click, and unload telemetry to
/log-activityon every session, but no backend entrypoint implements that route.Evidence
https://github.com/h9zdev/WireTapper/blob/main/templates/wifi-search.html#L23-L66definessendActivity()and posts interaction data to/log-activity.navigator.sendBeacon('/log-activity', ...)on unload./log-activityhandler exists inapp.pyorapp-env.py; the route appears only in the template.Why this matters
usernamefrom client cookies and treats it as telemetry identity, which is meaningless if the logging path is absent.Attack or failure scenario
An operator assumes the interface records usage or audit activity because the page visibly wires a telemetry path. In reality, every interaction posts into a dead endpoint, so no record exists when an incident or dispute needs reconstruction.
Root cause
Client-side telemetry was added without shipping the server-side collection path or validating route parity.
Recommended fix
Acceptance criteria
Suggested labels
Priority
P1 (High)
Severity
High — the application emits constant dead telemetry and presents nonexistent auditability as if it were real.
Confidence
Confirmed — the template emits
/log-activityrequests and the backend defines no corresponding route.