Tell HN: Medvi (telehealth) hardcodes 999 patient emails in public JavaScript
Comments
pants2
g48ywsJk6w48
This is not a data leakage. They deliberately included 999 of their customers' email addresses in publicly accessible JavaScript code in order to test certain features on them.
shoo
Are the patient emails real patients or could they be test accounts?
KomoD
The emails are definitely real, I checked a few and they appear in HIBP.
g48ywsJk6w48
They look like real people's email addresses. I checked a few. They belong to real people.
thom-gtdp
How do you find such data leaks? Do you manually check all websites you visit?
g48ywsJk6w48
I was curious to know which service provider they use. So I went to look at the source code of their websites.
speedgoose
Looks like you used a LLM to write your post, or am I wrong?
thom-gtdp
Totally agree Check the Wikipedia page "Signs of AI writing", found 2 of them in this post (overuse of em dash and negative parallelism) Also quickly checked Medvi, their JavaScript looks good...
g48ywsJk6w48
Would you like me to show you specific JavaScript files right here?
thom-gtdp
Yes please, I only checked the ones from homepage, I probably missed some if the other pages includes other scripts
g48ywsJk6w48
Just open app.medvi.org and search in DevTools gmail/yahoo/icloud and you will see js bundle with emails.
or seasonhealth/openloophealth to find another js bundle with staff emails.
thom-gtdp
Mamma Mia I see them! Crazy 1018 customer mails addresses at first sight
g48ywsJk6w48
Yes, and it's a company that makes hundreds of millions of dollars a year.
g48ywsJk6w48
Yes, LLM assisted.
So did you disclose this responsibly? Posting about it publicly first is asking for that sensitive data to be leaked. Might as well hack and repost that PII yourself.