告诉HN:Medvi(远程医疗)在公共JavaScript中硬编码了999个患者邮箱。
Medvi是一家最近受到广泛媒体关注的远程医疗药房。在使用开发者工具浏览他们的网站时,我注意到他们的公共JavaScript包中包含了一个硬编码的999个患者电子邮件地址的列表——以及每位患者的注册日期、活跃状态和是否分配了护理经理。这些数据在任何登录发生之前就会被每位访问者的浏览器下载。
这个列表并不是一个被遗忘的固定内容。它被积极使用:应用程序会导入该列表,筛选活跃患者,并检查登录用户的电子邮件是否出现在列表中,以决定显示哪些用户界面功能。这是一种将真实患者数据嵌入到客户端功能标记中的做法。
同一个包还暴露了Season Health(Medvi的母公司)员工的电子邮件列表,这些邮件用于绕过结账流程,以及一个单独的Open Loop Health(他们的临床提供者)员工的电子邮件列表,用于绕过入院表单逻辑——在源代码中都标记为如此。
这再次很好地证明,仅依赖大型语言模型进行产品开发是为时已晚的做法。
查看原文
Medvi is a telehealth pharmacy that has received significant media attention recently. While browsing their site with DevTools open, I noticed that their public JavaScript bundle contains a hardcoded list of 999 patient email addresses — along with each patient's enrollment date, active status, and whether a care manager has been assigned. This data is downloaded by every visitor's browser before any login occurs.<p>The list isn't a forgotten fixture. It's actively used: the app imports it, filters for active patients, and checks whether the logged-in user's email appears in the list to decide which UI features to display. Client-side feature flagging with real patient data baked into the bundle.<p>The same bundle also exposes a list of Season Health (Medvi's parent company) employee emails used to bypass checkout flows, and a separate list of Open Loop Health (their clinical provider) staff emails used to bypass intake form logic — both labeled as such in the source.<p>This is another great demonstration that relying only on large language models for product development is premature.