We all use flawed, problematic platforms and products; it's unavoidable. But X is something else altogether. It's astoundingly evil. Almost none of the usual excuses apply any longer. Get the fuck off of it.

I feel like a big thing people often don't get is that computers are stupid. They are really, truly, stupid. They can only do what you tell them, exactly what you tell them, and they cannot think "well this is an obvious problem, clearly this wasn't intended" the way even a small child often can

And this is why I haven't completely lost faith in us as a nation. The pettiness

Yes people in America get only 2 weeks. People in America also can’t get abortions. People in America die at age 7 at school because of guns. America ain’t shit first of all. Second of all why isn’t Luxon back at work and why does he lie all the fucking time.

Rationale: API giving anything for a valid cred explains "a valid *user* password" leading to 127k users' files. Client-side access control (which is crazy) is inferred from "well they gotta put *some* access control *somewhere*... right?"

The website is a client-side webapp with calls to a bunch of C# backend APIs so there probably isn't too much of a difference in that they could have skippef both and queried the backend API directly.

The High Court decision from today gives a little of technical detail

bsky.app/profile/utf9...

Yeah, sounds like access control was done client side, and the API (at least for that module) would give anything to any client with a valid creds. Solves your "how'd they get the file list" problem too - the API gave it up.

What I’m not clear on is whether it was the mobile app or the web platform or both channels that were the problem.

In any case, I’d like to know when (1) MMH last performed a pen test and (2) did they implement the recommendations?