At the moment I am more concerned with how IP and email of users appear without any filter in the UserInfo method, as I consider this to be extremely personal data and the user should have the option to make it public or not.
For example, I can simply go to
Code: Select all
https://forum.wapka.co/?WAPKA_SITE_API_TOKEN
Code: Select all
https://api.wapka.org/UserInfo?apikey=<token>limit=10000
This needs to be addressed as soon as possible. My recommendations:
- Immediately remove the IP and email data from the API listing;
- Create a way that only site admins can access this information. This can be done by checking if the token used corresponds to an admin who is logged in;
- For the token of properly logged in users, the IP and email information should be shown only for their respective entry in the listing;
- Consider what information other than IP and email may be subject to this precaution.
I know this may sound like I am overreacting, but if Wapka is to become a reliable hosting service this kind of concern must be taken into account.
Best regards.