[onewaystreet]

Because it's just the UI, you can't actually use it without an admin account. It's really not an issue at all.

[nathanmock]

This is a good point, but there should be more awareness towards the issue as a whole. I've seen many apps who expose data dangerously. Some developers may not be aware that these values are exposed (even with SSL), so they should architect their apps accordingly, reinforcing the fact that you should never trust the client. I also briefly touch on the fact about this dynamic architecture and some of the implications it brings.

[tracker1]

You mean throwing up a Meteor app with a direct db feed and no fine grained security at the server side can lead to exploits?

[bhauer]

Aha! Good point!

Interesting nevertheless, but ultimately not more than a slight reveal of how things look on the inside.

[jayvanguard]

Information leakage is absolutely a security issue.

[sim0n]

The information leaked was most probably a few views/menus. He's only tricking the client in to thinking he's an administrator, not the server.