alt Hacker NewsI'm guessing it's not trivial to fix without breaking other things? The weakness seems to be that anyone can turn UUIDs into details like email. But I assume this functionality is necessary for other flows so they can't just turn off all UUID->email/profile look ups. And similarly hiding author UUIDs on posts also isn't trivial.
Conceptually, I agree it should be easy, but I suspect they're stuck with legacy code and behaviors that rely on the current system. Not breaking anything else while fixing this is likely the time consuming part.
Replies
chinathrow • yesterday at 7:43 PM
Of course they can fix it, come on.
They can easily withold information they put out intenionally.
➕ show 1 reply
This is a rendering artifact, nothing more. If you can tokenize and protect PII on your platform, you can protect PII on your public pages.
Simple fix.