It's bad that this is happening, but from a developer standpoint it is also very easy to overlook things like this because most APIs are not aware of who the data is for.
When an API always returns the `last_seen` field regardless of who is querying the data, it's very easy to make the mistake to present the data to someone who should not see it.
That's also one of the reasons I think most CRUD APIs use bad practice because they always return all data on a READ and may always store all data on a CREATE or UPDATE.
But.. a company like Facebook should know better. It seems they just don't care.
> But.. a company like Facebook should know better. It seems they just don't care.
I agree 100%. If it was a simple hobby project that somebody had hacked together, I'd agree that it might be easily overlooked. When you have thousands of people supposedly working on making privacy a priority etc: not so much.
When an API always returns the `last_seen` field regardless of who is querying the data, it's very easy to make the mistake to present the data to someone who should not see it.
That's also one of the reasons I think most CRUD APIs use bad practice because they always return all data on a READ and may always store all data on a CREATE or UPDATE.
But.. a company like Facebook should know better. It seems they just don't care.