Expected Findings
- Custom header bypass unlocks admin data.
- Versioned mobile endpoints expose internal notes.
Mobile API
Mobile Backend
The docs tell the frontend to trust a custom mobile header, and the preview can hit an admin route by replaying it directly from the browser.
Primary Flows
- User endpoint Public mobile bootstrap
- Admin endpoint Bypassed via debug header
Signals
Header Trust
if req.header["X-Mobile-Debug"] == "let-me-in" { bypassAuth() }