Comment by 29athrowaway
2 years ago
> due to an unauthenticated endpoint.
This is truly unacceptable for an authentication product.
An authentication product that doesn't implement authentication correctly in their own APIs?
2 years ago
> due to an unauthenticated endpoint.
This is truly unacceptable for an authentication product.
An authentication product that doesn't implement authentication correctly in their own APIs?
IMO: I'm pretty sure this is less of an auth issue, than it is a rate limiting issue.
I haven't been able to find anything about the endpoint, but based on the data exposed[0] I think the endpoint they are talking about is the register one which requires a phone number.
I'd bet they didn't rate limit it, and someone just blasted through all phone numbers with it and stored the data for ones that didn't error out.
[0]
The CSV data columns:
account_id
phone_number
device_lock
account_status
device_count
So it's wardialing via the API then.