User blog comment:Sarah Manley/Followed pages - a new way to stay up-to-date on your favorite wiki pages/@comment-4133-20100506010111

I just found a big hole in the "privacy" settings, demonstrable as follows:

Step 1: Verify the user in question prefers their once-private information to stay private (as most reasonable people would expect). For example we will use my bot account on WoWWiki, see http://www.wowwiki.com/Special:Following/PCJ As you can see that account is set to have a private follow list.

Step 2: Retrieve the user's Wikia user ID. This is obtainable probably in several ways (it shows up for the user themselves in their Preferences), one way I came up with is an API call, see http://www.wowwiki.com/api.php?action=query&list=wkedituser The ID in this case is 819614

Step 3: Go to http://www.wowwiki.com/index.php?action=ajax&rs=FollowHelper::showAll&head=wikiafollowedpages-special-heading-article&user_id= which is in this case http://www.wowwiki.com/index.php?action=ajax&rs=FollowHelper::showAll&head=wikiafollowedpages-special-heading-article&user_id=819614

As you can see, it downloads a list of articles that are being watched, in this case in the article namespaces, and for my bot, just the Portal:Main I followed on it for the purposes of this example.