• 516052 (unregistered)

    When I run into sites like this a question always nags at my mind.
    I know it's illegal to publish the actual private information to anyone. And it's certainly illegal to abuse the information discovered for fun and profit. But what if I went on one of those hacker forums and just gave them a link saying: "look at this". Maybe with some vague instructions on what to look for.

    Would that still be illegal? Or would it be fair play...

  • (nodebb)

    These all look like the "public"/publishable keys and client auth tokens and are supposed to be provided through client-side calls. Maybe the distinction between production or other environments should be baked into the compiled source files but it doesn't really make a difference if that information is exposed to the client. If the client-side uses a development key and then the server-side tries to find that transaction in the production environment it'll return a 404 in the internal API call (the same as if the client generated a bogus transaction id), so no big deal.

  • Logical (unregistered)

    APP_AUTH0_GUID - probably the user you're logged in as, so no big deal.

    APP_TIQ_ENV, APP_PAYPAL_ENV, APP_VENMO_ENV and APP_GRAPHQL_ENV - I wouldn't be surprised if that's just for logging (e.g. Datadog) to allow easy filtering.

    APP_PAYPAL_CLIENT_ID - OIDC client id is public info.

    APP_VISA_CHECKOUT_API_KEY - to actually use the api, you'll need a shared secret as well I think.

    APP_AUTH_AUDIENCE - that one strikes me as odd, why would you need to define your OIDC AUD on the frontend?

    APP_VERIFY_ADDRESS_AUTH_TOKEN - so they allow the frontend to invoke the address validation, without going through the backend. So yeah, that allows anyone to perform address validation using their account.

  • Officer Johnny Holzkopf (unregistered) in reply to 516052

    "I know it's illegal to publish the actual private information to anyone." - It already has been published, so the publisher, i. e. the entity running the website in question and their responsible C?Os, managers, or employees, should be prosecuted if it is acutally illegal. It's the same nonsense as "you cannot download that picture" if the picture is already displayed in the client's web browser...

  • xtal256 (unregistered) in reply to Officer Johnny Holzkopf

    It's the same nonsense as "you cannot download that picture" if the picture is already displayed in the client's web browser...

    That's what annoys me about the "AI is stealing my art" crowd, all these AI companies are doing is scraping publicly available data (ok Midjourney did admit to trying to get around paywalls, but that should be addressed on it's own). They can call it unethical or a whatever, but it's not "stealing" or "illegal".

  • 516052 (unregistered) in reply to xtal256

    That's not how copyright works. If you display a work in a public venue that does not automatically give everyone with a pair of eyes a royalty free license to reproduce it or derive work from it. If it did that would render the whole concept of copyright meaningless.

Leave a comment on “Development Tools”

Log In or post as a guest

Replying to comment #693749:

Log Out

« Return to Article