I get what you’re saying, but I think you’re missing the point. Yes, the app needs OTP to log in, and yes, uploaded images are technically public—but what I was showing is different: once you’re authenticated, there’s basically no access control on user images. That’s not about OTP or being in a “public environment”; it’s a backend flaw. Anyone with minimal scripting can access all user photos without any extra checks.
Also, even if the API only gives “distance,” you can still roughly triangulate someone’s location within 200 meters, which I demonstrated. The post isn’t about blaming users—it’s about showing how sensitive data is exposed by design, which is a real privacy risk.
Also, even if the API only gives “distance,” you can still roughly triangulate someone’s location within 200 meters, which I demonstrated. The post isn’t about blaming users—it’s about showing how sensitive data is exposed by design, which is a real privacy risk.