Help Center

Improved

Fixed

githubcard

In Review

Planned

In Progress

Completed

Rejected

High Priority

Low Priority

Backlog

Next up

Done

Main Roadmap

Hey {name|there}! 👋

The project looks very nice, but it’s possible to vandalize other users’ cards/profiles:Let's say user A creates a card with custom design id afB0FP_V and embeds the created card in their GitHub profile. Then user B can see in user A's profile which design id the card uses and make a request to the <a target="_blank" rel="noopener noreferrer nofollow" class="link" href="http://githubcard.com">githubcard.com</a> API (PUT <a target="_blank" rel="noopener noreferrer nofollow" class="link" href="https://githubcard.com/api/v1/designs/afB0FP_V">https://githubcard.com/api/v1/designs/afB0FP_V</a>) to update this design and completely change its contents. This overrides user A's design and allows user B to vandalize user A's GitHub profile.

vandalizing other people's cards should be prevented

martin

GithubCard

vandalizing other people's cards should be prevented

Subscribe to post

Subscribe to post