2019-12-09, 03:36 PM
There should be a way to make it impossible for a regular user to determine that a private thread does exist.
Let's say this URL takes privileged users to the moderator thread:
If you were to delete that thread, a regular user attempting to access it would get a "thread does not exist" error, and thus keep trying other tid values until he finds another instance.
This is a security issue that should be looked into.
Let's say this URL takes privileged users to the moderator thread:
https://site.com/showthread.php?tid=1
With the Google SEO plugin enabled, it might make it more obvious:https://site.com/Thread-Moderators-Thread--1
If an unprivileged user has the tid value, he will know that thread exists for a fact, but can't access it, and with the Google SEO URL function, it is clear as day.If you were to delete that thread, a regular user attempting to access it would get a "thread does not exist" error, and thus keep trying other tid values until he finds another instance.
This is a security issue that should be looked into.