NAG OC
Hi team,
I wanted to raise a security concern I noticed with how Sub Accounts & Card links are currently structured on the platform.
Each Sub Account & loyalty cards are assigned a sequential numeric ID, for example:
-Sub Accounts : https://www.myplatform/agency/clients/111222
Because the ID is a plain incrementing number, it would be straightforward for anyone to write a script that loops through IDs and visits every card on the platform. Since the card pages are publicly accessible (they need to be, for customers to enroll), this means a bad actor could potentially harvest business names, logos, and other details from every card on the platform at scale.
🟢 What I'd like to request:
  1. Replace sequential IDs with random tokens
    /getpass/a7x9kq2m4p
    instead of
    /getpass/1234567
    , same thing with Sub accounts, this makes it practically impossible to enumerate cards.
  2. Rate-limit the card enrollment endpoint block or challenge requests that hit too many card URLs in a short time.
  3. Add bot protection to the enrollment form something like Cloudflare Turnstile or a CAPTCHA to prevent automated fake signups being submitted at scale across cards.
  4. Avoid exposing card IDs in CDN asset paths currently the logo URL also contains the numeric ID (e.g.
    /templates/1234567/logo.png
    ), which creates a second enumeration surface.
This is a relatively simple fix on the backend but it closes a meaningful exposure for all businesses using the platform.
Thanks