[wandererx2a]

To the Hacker News crowd, I think that anybody that read the timeattack's comment has thought: a server application that output files given a filepath? Maybe we can forge some absolute path? And then, 5 minutes later, on Github, you confirm your hypothesis by reading 62 lines of Go.

Nevertheless, I am respectful of responsible security disclosure. Maybe timeattack will prefer to use an entirely private channel to communicate with the server owner the next time?

In the end, the info was already out, the author fixed it real quick and I hoped he has cleaned its server by now ;)