top | item 45492898

(no title)

dfworks | 4 months ago

It’s perhaps a bit better now, but back when trip-sharing features were first added to third-party mapping and delivery platforms, there was a real tendency to overshare. Many early implementations generated public URLs with sequential or low-entropy IDs that could be guessed or brute-forced. Anyone who knew the pattern could enumerate live or historical “shared trips,” exposing routes, addresses, and other metadata that were never meant to be public.

I documented a few examples of this a while ago, which demonstrate how easily these systems could leak journey data.

https://dfworks.xyz/blog/online_stalking_citymapper/ https://dfworks.xyz/blog/pizza_order/

discuss

No comments yet.