Critical
resolved
resolved
The /reports/:id.json endpoint discloses potentially sensitive user attributes when reporter summary is present
Bug reported by Avinash Kumar was disclosed at April 1, 2025, 6:23 pm | Information Disclosure
The /reports/:id.json endpoint disclosed potentially sensitive user attributes, including the reporter's email, OTP backup codes, phone number, graphql_secret_token, and t-shirt size when a reporter summary was present.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
