[juunpp]

The latter. Forget tracking auth attempts:

> The researcher added that he discovered another issue where someone could enter a 23andme profile ID, like the ones included in the leaked data set, into their URL and see someone’s profile.

[jtriangle]

Ah, so they were able to use a few accounts, then fuzzed the URLS to victory...

Amazingly incompetent.

[gwbas1c]

I recently had to explain to a tech lead that you can "never trust the client," because any dedicated party can just curl around your UI and send whatever HTTP request they want.

[dylan604]

I remember when this first occurred to me from me deciding that I didn't want to click download a series of things on some website where this was the intended use. I wrote a small shell script to curl it for me, and somewhere during the process of writing the script, I realized the true "power" of this. Ever since then, GET with search queries were protected against in everything I wrote from that point forward. Luckily, that was in the late 90s, so it's been a minute.