It appears that both the API key and the user IDs are public. Indeed, if one intercepts the requests the browser sends to the server, one would be able to discover the API key. Furthermore, user IDs are sent by the server as part of the message response payloads, which allows anyone to determine the user IDs of everyone else. This means that, as a normal user, if I ever find myself in the same channel as a moderator, I can hijack their user ID and essentially do everything that they can do
Hi - we recommend you enable secure mode in production to prevent this vulnerability. Please see more info on the concept and implementation instruction in our docs here: Security - Amity Docs
1 Like