First off this site is EPIC and super useful and doesn't have confidential data so generally low impact security risk. However (as i started to outline in discord) it seems the site doesn't use any session cookies at all for backend requests and just sends the username as the session ID. Thus I can arbitrarily create an account for any yale (and maybe non Yale, haven't looked) student, make bets on behalf of them, change their username, basically do anything they can do. The solution to this would likely be to just use a session and wrap api endpoints to require a valid session and probs have a middleware that uses the current session to get the users netID so it can't be manually inputted. I've put some links to relevant CourseTable files where we do this I LOVE YALE IMS https://github.com/coursetable/coursetable/blob/41d68c21383b123827fceef8969e440a93d454c2/api/src/auth/auth.handlers.ts https://github.com/coursetable/coursetable/blob/41d68c21383b123827fceef8969e440a93d454c2/api/src/server.ts#L8