The safety of replit. Is replit really as safe as people think?
Before I start this, I just wanted to say, this isn't mean to scare you into not using repl.it and I am just staying some security things they need to fix. I'll probably get banned or get a warning from this post but it is worth it.
This file cannot be displayed: https://repl.it/logout
There are a lot of bugs on repl talk that people barely notice or thing about. The first thing is images. Everyone knows that you can easily link images however you want on a post on repl talk. But have you ever thought of not linking an image but something else instead. This is my first example. By visiting this post I just logged you out of your replit account. You should be able to easily guess how this works. So basically I attached an invalid image up above. Repl.it doesn't verify whether that is a real image or not and just tells your browser to request it. Your browser sends a request to
https://repl.it/logout and it logs out out. (Feel free to log back in lol)
The second thing I want to show you is how I can easily get your IP address. Now before I do this I just wanted to say that I am not logging it in anyway and all it is doing is displaying a image (the repl that is doing it is below this post and is public). The image below shows your IP address (IPv6 or IPv4).
This file cannot be displayed: https://ip.bots.wtf
It is very easy how I bypass the repl proxy things. I used CloudFare nameservers and CloudFare sends me a header telling me what IP connected to my website and then I used an text to image api to display the image.
If I can easily do this, why cant other people do it? In fact, other people may have already done it and someone else might already have your IP.