Privacy Concerns about the API and its use by unauthenticated and unauthorized users

[francisco]

I know data privacy concerns are not the best skill of Wapka and its users (take as an example the way some admins simply publicly list all user data including IP and email,) but having an API accessible by anyone via a trivial token and making it possible to access such information directly is a big data security issue.
At the moment I am more concerned with how IP and email of users appear without any filter in the UserInfo method, as I consider this to be extremely personal data and the user should have the option to make it public or not.

For example, I can simply go to

Code: Select all

https://forum.wapka.co/?WAPKA_SITE_API_TOKEN

and then copy the token and go to

Code: Select all

https://api.wapka.org/UserInfo?apikey=<token>limit=10000

and get all the emails and IPs of the users of the site, without the need for me to be admin, be logged in, or even have privileged access to the site. This is a pot of gold for spammers and data miners.


This needs to be addressed as soon as possible. My recommendations:

• Immediately remove the IP and email data from the API listing;

• Create a way that only site admins can access this information. This can be done by checking if the token used corresponds to an admin who is logged in;

• For the token of properly logged in users, the IP and email information should be shown only for their respective entry in the listing;

• Consider what information other than IP and email may be subject to this precaution.

I know this may sound like I am overreacting, but if Wapka is to become a reliable hosting service this kind of concern must be taken into account.

Best regards.

[vikkas]

Super

[Administrator]

As currently api is on testing mode that's why api is auto enabled. Soon User will be able to control API functions.