Leaky JSON

While trying to debug why nothing is showing up on our calendar, I started looking through the JSON that gets sent to the browser on every page, and noticed that it sends a lot of extraneous, possibly dangerous information to the browser on every page load. For example, when loading the calendar, it sends a list of every adventure that its possible for cub scouts to earn, all the merit badges for BSA, and the prices of the badges. This is kind of annoying when I’m going to be accessing this page over mobile, where bandwidth might actually be expensive, and it’s ridiculous to send them when you’re loading the calendar page, that’s not information that you need to see.

But worse, it sends the names and home addresses of all the leaders of your unit even when that’s not what’s being shown on the screen. In fact, I don’t think there’s any screen in Internet Advancement where I can see a list of all the leaders in our Pack. Why is that kind of information broadcast to the browser on literally every page load? It seems not only incredibly inefficient, but also probably a major security vulnerability.

I don’t want to come off as a complainer here, but with a background in web development and security, this is rather disturbing to come across.

Adam Ness

2 Likes

@AdamNess - internet advancement would have the full unit roster plus obviously advancement items. It would also have recharter. So when you log into advancements.scouting.org the unit that uses ONLY that site will have access to what it needs on the unit side. Not all units use scoutbook.scouting.org

I’m not quite clear on what you’re saying?
Recharter is done through the council website for us, not through Internet Advancement. That might change in the future, but it shouldn’t be fully loading every possible piece of information on every view just because some day years from now it might need it.

And advancements.scouting.org is pre-loading all that data, even though I’m only loading a view (calendar) that doesn’t use that data. It also reloads all this data when I go to the Roster view, and reloads it all again when I go to the individual member view, and reloads it one more time when I click to the edit member view.

1 Like

@AdamNess - well recharter is done via advancements.scouting.org for us and many other councils so it refreshes that data.

1 Like

I have passed this along to the developers to investigate. Thanks for the info!

1 Like

I have a similar report as it exposes the birthdays and home address info for permission slips: Privilege Escalation to Scout Birthdate and Home Address