Originally Posted by
findark
Sigh. And this is why you don't talk about this kind of thing, let alone publish a website for it...
This particular bug leaked a lot of rather private information for UA, so I'm surprised it lasted as long as it did, but still sad.
It seems pretty weird that they didn’t validate the input parameter to the API. Perhaps the API was originally designed for a different (internal) purpose and then just used for something unintended and not anticipated by the API designer? And so fixing it wasn’t quite as simple as adding ge validation (though really not complex either).