|
|
|
|
|
|
by xocnad
165 days ago
|
|
|
I am apprehensive of the surveillance state and it's potential for misuse. However this disclosure content is less than ideal: - It mixes two separate issues 1) embedded default API key and 2) unauthenticated token minting - The bulk of the disclosure focuses on enumeration of sensitive data that is implied could have been exposed via the default API key, but what is actually exposed is unclear: "The 50 "portal:app:access:item" privileges reference private item IDs that cannot be inventoried without actively querying each one which I did not do" - The default API key was for "development" and there is no assertion that live data existed in that environment (though it wouldn't surprise me) - The default API key was fixed in June 2025, it is only the token minting that has not been. - The token minting issue is only asserted to "grant access to the geographic mapping of Flock's camera network locations" which would certainly be useful as a source for unethical updates to https://deflock.me/ but obviously not nearly as sensitive. (And I've always used bullets/lists in my communications, long before AI did this) |
|
|