A vulnerability allowing an attacker acquire barely offset (2-4 miles) coordinates with only an user id. Discovered and fixed January 19th, 2025.
During the last 1-2 weeks of highseas, there was an map to find mystic taverns, or RSVP to host/attend one. However, this map also included offset locations of hackclubbers with attendence statuses, so you could see how many in your area were going. This in of itself would not have been an issue as they were anonymous.
But were they? After looking into the network requests and finding the one that that returned map data, i saw something interesting: airtable record IDs were attached to the coordinates. This is worse, but not the worst as you cant accosiate it with a slack ID. Okay well actually u could:
- By going to the doubloon leaderboard airtable
- Opening network requests and looking for a request to the file
readForSharedPages - Copying the response into notepad/vscode/etc
- Search for the target slack ID, and find the entry in the json
- Copy the record ID for the object
Now you have a record ID you can just search for in the coordinates json
Once i found this issue i instantly reported it, and it got solved within around 30 minutes.