Private Avatar Information Leak
tracked
satoukonya
When accessing a private avatar's URL, the webpage frontend displays the error: "Error: Avatar Not Found."
However, if the F12 Developer Tools are opened and the Network panel is inspected, information that should not be visible—such as the cover image URL, name, and description—can still be viewed. This data could potentially be exploited by third parties for illicit information gathering.
Log In
WubTheCaptain
Notably, this bug doesn't extend to avatars that have been taken down due to a DMCA takedown notice ("Error: This avatar is unavailable․"), such as
avtr_72509025-0307-447e-b572-e9ecfbdc9548
.WubTheCaptain
This information leak also doesn't apply to private avatars that have been deleted (such as
avtr_3167bbef-47d4-425f-8aab-4f8dfc0aae8e
).
StormRel
marked this post as
tracked