PRO-only listing data exposed to non-PRO users via Network tab (information disclosure)

[mitgajera]

Description

• PRO-restricted Earn listings expose sensitive listing data to non-PRO users through browser DevTools (Network tab), even though the UI correctly blocks access.
• While the frontend shows “Not Eligible – PRO members only”, the backend API still returns full listing payloads, allowing non-PRO users to inspect restricted information.
• This is an information disclosure issue and breaks expected access control guarantees.

Observed Behavior

The API response includes PRO-only data, such as:

• Full listing description
• Application requirements
• Submission questions / eligibility fields
• Internal metadata (IDs, deadlines, ordering, etc.)

Expected Behavior

For non-PRO users, the API should return a sanitized response excluding:

• Description
• Submission details
• Eligibility questions
• Internal metadata

Access control should be enforced server-side, not just via frontend gating.

[brighton-ifaya]

Full listing description
Application requirements

This is a lie. I've manually gone through all files loaded when you load a page, there's absolutely no listing description hence you can't tell application requirements either.

Submission questions / eligibility fields

How is this a data leak?

Internal metadata (IDs, deadlines, ordering, etc.)

I think you would have to showcase how this is a data leak too.

A good example bounty you can use to illustrate a leak is this bounty below that has both Pro and Non-Pro same bounty is.
Pro: https://earn.superteam.fun/listing/develop-analytics-platform-for-xandeum-pnodes
Non-Pro: https://earn.superteam.fun/listing/build-analytics-platform-for-xandeum-pnodes

[mitgajera]

@brighton-ifaya
check it from browser dev tool.

[brighton-ifaya]

Well I'll be damned, you're right. That is indeed a data leak. Good catch!! @mitgajera

[mitgajera]

@a20hek

[dharminnagar]

we can check if the user is pro before hand and send a authorization key along with the api, which doesn't send the description as it is. Instead it will send a dummy text(oh, it can also be some kind of easter egg lol)
But yea, do lmk i'll implement it