How do you hide authenticating 1.3+m unique accounts? A distributed system? A mess of VPN's?
Or they don't hide it because the auth system is not checking for 1.3 million auth attemps?
> The researcher added that he discovered another issue where someone could enter a 23andme profile ID, like the ones included in the leaked data set, into their URL and see someone’s profile.
I recently had to explain to a tech lead that you can "never trust the client," because any dedicated party can just curl around your UI and send whatever HTTP request they want.
I remember when this first occurred to me from me deciding that I didn't want to click download a series of things on some website where this was the intended use. I wrote a small shell script to curl it for me, and somewhere during the process of writing the script, I realized the true "power" of this. Ever since then, GET with search queries were protected against in everything I wrote from that point forward. Luckily, that was in the late 90s, so it's been a minute.
> The researcher added that he discovered another issue where someone could enter a 23andme profile ID, like the ones included in the leaked data set, into their URL and see someone’s profile.