If a website uses an auto-incrementing user-id in its url – /users/1
, /users/2
to showcase public user profiles (just the name + photo / avatar) is it considered a possible vulnerability?
Asked
Active
Viewed 165 times
0
-
1We cannot comment on whether anything might violate regulations. That's more of a legal question requiring interpretation. – schroeder Jan 23 '20 at 15:21
-
1Have you considered that this site does exactly what you describe? https://security.stackexchange.com/users/225626/ – schroeder Jan 23 '20 at 15:21
1 Answers
-4
From GDPR PII Definition:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Which means, that you should create some kind of notification, that will notify a user that the data he is submitting to the website are publicly accessible. If not, then you violated GDPR.
![](../../users/profiles/6253.webp)
schroeder
- 123,438
- 55
- 284
- 319
![](../../users/profiles/225476.webp)
Rashad Novruzov
- 658
- 2
- 13