Not sure if it was intentional, but unauthenticated users can see the email addr... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		salmon on Feb 20, 2019 \| parent \| context \| favorite \| on: Show HN: Commento: a fast, privacy-focused alterna... Not sure if it was intentional, but unauthenticated users can see the email addresses of all non-anonymous commenters on a page. Specifically, a POST is made to "https://commento.io/api/comment/list" Might want to hide those since this is supposed to be privacy-focused.

adtac on Feb 20, 2019 [–]

Fixed! Thanks, I'll patch this upstream soon enough :)

I actually had the provision to omit the email in these requests [1], but I forgot to unset the email before responding.

[1] https://gitlab.com/commento/commento/blob/master/api/comment...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact