Companies reveal mountains of sensitive commercial data in their APIs


Many companies use private APIs to manage their A/B tests of experimental products and approaches; by grabbing the calls that mobile apps make to these APIs, Jon Luca was able to figure out all kinds of sensitive information about companies' future plans, from the way Lyft steers customers towards credit cards that are cheaper to process and its use of "Tactical Price Adjustments" to fight customers who price-compare with Uber; to Airbnb's future China plans; to Pintrest's gendered content differentiation and so on.


There's lots more: Amazon's upcoming augmented reality offerings; to Tinder's incomplete erasure of a now-deprecated feature that let you view a prospect's Instagram.

Luca has promised a followup in the months to come.


Most companies aren’t obfuscating or minimizing their experiment names, which leads to information leakage. This could prove dangerous in the future – if a company is slowly rolling out a new feature, it could give their competitors an advantage.

This is a common occurrence in the industry – nearly every company is siloing off their growth engineering department, which leads to siloed off experiment routes. This in turn makes it almost trivial to figure out what they’re working on, and make educated guesses at the 6 month roadmap of most tech services.

Some future companies I’d like to try and check out are Snapchat, Ebay, all the Google products and services, and LinkedIn.

There’s a lot more apps and services that this methodology works with. Feel free to reach out if you’re interested in finding any given companies experimentation campaigns.

Experiments, growth engineering, and exposing company secrets through your API: Part 1 [Jon Luca/jonlu.ca]

(via Four Short Links)