The feature works as intended, but what’s in the source?

How does this feature work..?

When testing on [redacted] I noticed this piece of text:

What’s in the source?

Still authenticated as the list creator I decided to browse the source when viewing my thank you list (via view-source). I was curious, was it only my address that was shared? I decided to search for the email I used to purchase an item, so I pressed CTRL + F and began searching for “@googlemail.com”..

Takeaways

Just because a feature says it will only share certain information, verify this! Do as much detective work as possible to determine if any more information can be revealed. Developers work with lots of data and as technology grows they have to be sure which data to reflect, but because they handle lots of data, developers can make mistakes and leak more data than intended. GraphQL is notorious for this and I consider it leakyql

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store