https://lankybox02.github.io/bundle/view.html#56
your username has “ (banned)” on the navbar if you're banned and you cannot share, edit or delete projects
Yeah I thought I was a first, because I couldn’t find the project, because most viewed projects are out of order lol
Bundle has all user information public here: lankybox02 - Replit
This is really bad. Firstly all tokens have to be hashed to be kept secure, which is very bad for performance, and yet all the hashes are still public. Secondly, having them hashed doesn’t mean they can’t be cracked, someone could run a script to crack these passwords pretty quickly.
This is basically a data breach, this information should not be public.
Dunno, now people can’t ask me to ask jeffalo to verify them, but on the other hand people might try to impersonate me ig so maybe
Wait so how do accounts work if there is no password
Glad you asked! Each account has a different “session” that is saved in your local browser data, along with the username. When you enter the website, the API checks if your username matches with your session. You cannot actually see that session because the only time your browser will actually receive it is when you sign up, so that it can be saved in your local browser data.
Uhh, that sounds bad. Accounts could very easily be lost and it sounds like there’s one token that can be used, meaning if the token is stolen that person has full access over their account. I would recommend just using normal accounts and also having a token pair, one for accessing the site that expires after a short amount of time and one that refreshes the session with a different token, also detect token re-use and all of that.
I had you there the first time along with the other David, but didn’t save, so I must’ve forgot you the second time