- Any user's private profile info can be accessed publicly via anybody as long as the wallet address is known. And since the Smart contract's addresses are public and the Oath Keeper/Advocate openly mentions the list of wallets, addresses can be very easily accessed. Although all APIs expose data publicly, but with this API a wallet address can be attached to a user's real world identity.
- It also exposes the id related to the user which makes the JBP DB too predictable for resource harvesting.
Expected Behavior
The API should only return the info if the user is authorized
Possible Solution
Steps to Reproduce
Environment: Beta/Test/Temp
- Send a GET request to
https://beta.jur.io/api/v1/user providing wallet as a header
Expected Behavior
The API should only return the info if the user is authorized
Possible Solution
Steps to Reproduce
Environment: Beta/Test/Temp
https://beta.jur.io/api/v1/userprovidingwalletas a header