July 1, 2026
One Endpoint. Way Too Many Secrets
“I will not be the last Lannister.” — Tyrion Lannister

By 0xTyrion404
4 min read
"I will not be the last Lannister." — Tyrion Lannister
A Letter Nobody Supposed to Read
Every kingdom has its public face — the throne room, the banners, the smiling portraits sold to the crowd.
And every kingdom has a back room. A ledger nobody outside the family is meant to open.
Tyrion never cared about the throne room. He cared about the back room. That's where the truth lived — who owed what, who paid whom, who was being watched and who was watching back.
I learned that from him before I learned it from any methodology document. So when I sat down in front of [REDACTED].com — a platform where people pay real money for a few seconds of someone else's attention — I didn't look at the storefront.
I looked for the ledger.
Phase I — A Profile Page That Talked Too Much
"A lord's daughter does not get to choose." Neither, it turns out, did this API get to choose what it revealed.
The public profile endpoint was supposed to do one polite thing: show a talent's name, photo, price, a few stars. The kind of page a stranger is allowed to see.
GET /api/user/show/[REDACTED-USER]GET /api/user/show/[REDACTED-USER]No session. No cookie. No token. Just a name in the URL, asked politely.
Expected: 401 Unauthorized
Actual: 200 Ok -29,724 bytesExpected: 401 Unauthorized
Actual: 200 Ok -29,724 bytesInside that response was not a profile. It was a confession.
Six recent orders, fully embedded — who paid, who received, how much, through which payment method. Purchaser names sitting next to MongoDB user IDs, like name tags at a party nobody invited me to.
for o in d.get('orders', []):
print(o['purchaserName'], '→', o['customerName'], '|', o['price']/100, '|', o['paymentMethod'])
Joe → Cornelius | $207.15 | stripePaymentIntent
Filip → Tabitha | $104.51 | stripePaymentIntent
Gianni → Judith | $104.99 | appleIAPfor o in d.get('orders', []):
print(o['purchaserName'], '→', o['customerName'], '|', o['price']/100, '|', o['paymentMethod'])
Joe → Cornelius | $207.15 | stripePaymentIntent
Filip → Tabitha | $104.51 | stripePaymentIntent
Gianni → Judith | $104.99 | appleIAPReal names. Real money. Real strangers, exposed to anyone who could type a username into a URL.
Tyrion would have smiled. Not because it was clever — because it wasn't. Someone had simply forgotten that a public door should not open onto a private room.
Phase II — The Naked Truth
"Everything's better with some wine in the belly." Everything's worse when your unwatermarked videos are too.
Buried in those order objects were direct links — nakedMediaUrl, nakedThumbnailUrl, hlsMediaUrl. Not the watermarked clips customers were shown. The originals. The ones the platform's entire business model depends on protecting.
curl -I "[REDACTED-CDN]/video/[REDACTED]-processed.mp4"
Expected: 403 Forbidden
Actual: 200 OKcurl -I "[REDACTED-CDN]/video/[REDACTED]-processed.mp4"
Expected: 403 Forbidden
Actual: 200 OKNo watermark. No authentication. No friction at all between a stranger and a file the platform sells for a living.
A small man can carry a very large amount of someone else's intellectual property, it turns out, with nothing but a curl command.
Phase III — The Maester's Private Notes
"Knowledge is a weapon. Arm yourself well." The same response held the platform's own private notes about itself — the kind of thing usually locked in an internal dashboard.
=== RATE LIMITING STATE ===
Max requests: 5
Remaining: 5
=== INTERNAL PRICING ===
iOS price (internal): 13571
Expedited iOS price: 15299
=== FEATURE FLAGS ===
twentyFourHourExpiration: False
backgroundUploadingEnabled: True
...=== RATE LIMITING STATE ===
Max requests: 5
Remaining: 5
=== INTERNAL PRICING ===
iOS price (internal): 13571
Expedited iOS price: 15299
=== FEATURE FLAGS ===
twentyFourHourExpiration: False
backgroundUploadingEnabled: True
...Internal pricing tiers never shown in the UI. Feature flags meant to roll out quietly. Throttling state meant to be invisible. All handed over in the same unauthenticated breath as someone's payment history.
It wasn't one leak. It was the whole back room, door wide open, lights on.
The Other Door Nobody Mentioned
While I was reading, I noticed the same forgetfulness on a neighboring endpoint — a fan-club content preview that quietly handed out paid, subscriber-only messages and the user IDs of everyone who'd paid to be inside that private circle.
Those IDs led right back to the same broken profile endpoint, and the broken endpoint led right back to real names.
Two doors, one missing lock between them. Pull either thread and the whole tapestry of "who paid to be anonymous" comes apart.
Epilogue — The Quiet Fix
I reported it. The first fix trimmed a few fields and called it done. It wasn't — the naked media links, the internal configuration, the order objects, they all stayed. I said so plainly in the retest, the way Tyrion would correct a maester's math without raising his voice.
The second response was honest: some of it was tightened, some of it the program decided was intentional. We didn't fully agree on where the line should sit — but that's a conversation for the report, not for this page.
What stays true is the lesson underneath it. Nobody broke down a gate here. Nobody picked a lock. I just read what the front door was already saying, out loud, to anyone who asked.
"I drink and I know things."
I didn't even need the wine this time.
— tyrion404 Bug Bounty Hunter · Reported via HackerOne