The relatively new Oink ratings app shut down earlier this week, but there's one last parting gift from Milk founder Kevin Rose as he heads to Google: Oink's export tool reportedly allows you to grab the data of anyone who used the service, provided you know their username. Upon getting the download link to grab your Oink data via email, you can just take the download URL and swap in another user's name. Writer Christina Cordova (who also works for news-aggregation app Pulse) appears to have pulled back the cover on this security flaw; she was able to successfully download Kevin Rose's data just by changing the URL, and we were able to verify this as well.
While this is certainly an oversight on the part of Oink, users posted this data publicly to the service for other users to see — and it's unlikely that anyone who didn't try Oink will be all that interested in checking this info out. Oink's Twitter account even acknowledged this issue when it was brought up, saying that "All of the data in the past was publicly available and it still is. Nothing changed from yesterday to today." Still, this isn't how you want to see a company handle personal data, regardless of how many users the service had.
Update: We just spoke to Oink and Milk founder Kevin Rose, who clarified Oink's position that user data has always been publicly available. As Rose told us, "any time you created an account, we automatically created a web-facing account" — every user had a public Oink.com profile that anyone could find, provided they knew the user name. That same profile was in the app as well. Rose reiterated that this information, photos and all, was always publicly available through the web, not just in the app: "[since] the day we launched Oink, all data has always been public."
However, Rose and his team have recognized that some users didn't expect their information to be easily available for others to download, so the engineering team has added some random characters before and after usernames in the download link. Rose said that initially he was "freaked out" thinking that "private information was being linked," but his team quickly verified that it was only public-facing data being shared. We just verified that it isn't so easy to grab an Oink user's data any more — the links we used earlier to download Oink data (including Rose's own) no longer work. While it seems this data was always available, it's good to see Rose and his team quickly close a loophole that some users felt was a bit invasive.
@keithwhamond All of the data in the past was publicly available and it still is. Nothing changed from yesterday to today.— Oink (@oinkapp) March 14, 2012