[mtlynch]

One thing that confused me was that the author talks about using "Good Boy Ninja’s method for talking to Gumroad’s API," which I thought meant that they were relying on undocumented behavior of the API. That would explain why Gumroad was so cavalier about breaking existing clients who relied on this method.

I checked Gumroad's API documentation[0] and found that the product_permalink and increment_uses_count parameters weren't documented. Then I checked the Wayback Machine for the documentation at the time the exploit was discovered[1], and those parameters were documented, so the author was relying on documented, supported behavior.

Given this, Gumroad breaking all their clients with only two weeks' notice over the holidays and offering only a $500 bounty feels pretty disrespectful.

I obviously don't know about Gumroad's internals, but nothing about the original API semantics seems inherently insecure to me. Why couldn't they have just verified that the entity that owns the license key also owns the permalink? It feels like Gumroad just chose the fix that minimized work on their end while pushing a lot of work onto their API consumers and those consumers' clients.

[0] https://app.gumroad.com/api#licenses

[1] https://web.archive.org/web/20221107215637/https://app.gumro...