[lucisferre]

I'm a bit confused is the problem the fact that they implement a full API client in javascript and you can read the code?

The plain-text password in the cook seems to be it's huge flaw, but I don't see the problem with the fact that you can circumvent the javascript as long as business rules are still validated on the server side.

[kenips]

Exactly, and they don't - it does return a random location when I put in a random user_id (they simply expose a user object in the global space with all sorts of attributes in it). They totally upped Apple's "Find My Friends" with this "Find My Strangers" site.