Hacker News new | ask | show | jobs
by kerridge0 4196 days ago
It looks to me that the url that calls queries_read_records.like_article() only requires a logged in user and a record id in order to set a read record as liked? Are you saying that is not possible to guess the id because it's not a sequential number by default in mongodb?
1 comments
sorpaas 4196 days ago
The article id is public (they are public on the Internet anyway). But it's not possible (at least as designed) to access any user-specific information if not logged in.
link
kerridge0 4196 days ago
I'm not talking about an information leak I'm talking about a potential denial of liking attack ☺
link