That's just ... absurd.

The flaw itself is absurd but then just accepting it as "by design" makes it even worse.

▲ chinathrow 2 hours ago | parent [-]

It's also trivially easy to fix. 1 min delete and deploy.

▲ varenc an hour ago | parent [-]

I'm guessing it's not trivial to fix without breaking other things? The weakness seems to be that anyone can turn UUIDs into details like email. But I assume this functionality is necessary for other flows so they can't just turn off all UUID->email/profile look ups. And similarly hiding author UUIDs on posts also isn't trivial.

Conceptually, I agree it should be easy, but I suspect they're stuck with legacy code and behaviors that rely on the current system. Not breaking anything else while fixing this is likely the time consuming part.

▲ reactordev 14 minutes ago | parent | next [-]

This is a rendering artifact, nothing more. If you can tokenize and protect PII on your platform, you can protect PII on your public pages.

    if (metadata.is_public)

Simple fix.

▲ chinathrow an hour ago | parent | prev [-]

Of course they can fix it, come on.

They can easily withold information they put out intenionally.

	▲	csallen 43 minutes ago \| parent [-]
		The whole point of that comment is that it's not that easy. There are potential side effects and consequences that are difficult to architect around.