Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
February 26, 2019 08:50 pm PST

Companies reveal mountains of sensitive commercial data in their APIs

Many companies use private APIs to manage their A/B tests of experimental products and approaches; by grabbing the calls that mobile apps make to these APIs, Jon Luca was able to figure out all kinds of sensitive information about companies' future plans, from the way Lyft steers customers towards credit cards that are cheaper to process and its use of "Tactical Price Adjustments" to fight customers who price-compare with Uber; to Airbnb's future China plans; to Pintrest's gendered content differentiation and so on.

There's lots more: Amazon's upcoming augmented reality offerings; to Tinder's incomplete erasure of a now-deprecated feature that let you view a prospect's Instagram.

Luca has promised a followup in the months to come.

Most companies arent obfuscating or minimizing their experiment names, which leads to information leakage. This could prove dangerous in the future - if a company is slowly rolling out a new feature, it could give their competitors an advantage.

This is a common occurrence in the industry - nearly every company is siloing off their growth engineering department, which leads to siloed off experiment routes. This in turn makes it almost trivial to figure out what theyre working on, and make educated guesses at the 6 month roadmap of most tech services.

Some future companies Id like to try and check out are Snapchat, Ebay, all the Google products and services, and LinkedIn.

Theres a lot more apps and services that this methodology works with. Feel free to reach out if youre interested in finding any given companies experimentation campaigns.

Read the rest


Original Link: http://feeds.boingboing.net/~r/boingboing/iBag/~3/ie91P62_vI8/variable-names-considered-harm.html

Share this article:    Share on Facebook
View Full Article