[kenips]

This is horrible, yet from Canada's largest(?) wireless carrier??

Checkout: https://www.rogersphonefinder.com/javascripts/conf.js https://www.rogersphonefinder.com/javascripts/fq.js

and you can bypass all the business logic, including checking someone's location I think.

Did I mention that they store your password in plaintext in a cookie? #facepalm

[lucisferre]

I'm a bit confused is the problem the fact that they implement a full API client in javascript and you can read the code?

The plain-text password in the cook seems to be it's huge flaw, but I don't see the problem with the fact that you can circumvent the javascript as long as business rules are still validated on the server side.

[kenips]

Exactly, and they don't - it does return a random location when I put in a random user_id (they simply expose a user object in the global space with all sorts of attributes in it). They totally upped Apple's "Find My Friends" with this "Find My Strangers" site.