Follower and following lists independently visible and revocable

Why it matters

A public follower list reveals a user's social graph to anyone who calls the API — who they follow exposes interests and associations; who follows them can reveal community membership. Users may have legitimate reasons to keep this information private: they may be following accounts related to health conditions, political views, or personal situations they haven't disclosed publicly. GDPR Art. 25's data minimization principle requires that social graph data not be exposed beyond what the user has authorized. OWASP A01:2021 applies when the API returns this data without checking visibility settings.

Remediation

Add independent visibility flags to the users table and enforce them in every API route that returns follower or following lists. In src/app/api/users/[id]/followers/route.ts:

export async function GET(req: Request, { params }: { params: { id: string } }) {
  const { id: userId } = params;
  const requesterId = getRequesterId(req); // from session

  const user = await db.user.findUniqueOrThrow({ where: { id: userId } });

  if (!user.followers_list_visible && requesterId !== userId) {
    return new Response(JSON.stringify({ error: 'Follower list is private' }), { status: 403 });
  }

  const followers = await db.follow.findMany({ where: { followingId: userId } });
  return Response.json(followers);
}

Schema:

ALTER TABLE users
  ADD COLUMN followers_list_visible BOOLEAN NOT NULL DEFAULT true,
  ADD COLUMN following_list_visible BOOLEAN NOT NULL DEFAULT true;

Detection

ID: community-privacy-controls.account-control.follower-list-privacy
Severity: low
What to look for: Enumerate every relevant item. Check database schema for follower/following visibility settings. Verify each can be independently hidden. Look for API endpoints that return follower/following lists and confirm they check visibility before responding.
Pass criteria: At least 1 of the following conditions is met. Users can independently control whether followers and following lists are visible to others. API endpoints check visibility before returning lists. Default is visible, but toggles are available.
Fail criteria: Follower lists always public. No setting to hide. Lists returned via API without visibility check.
Skip (N/A) when: Never — social graph privacy is important.
Detail on fail: Example: "No setting to hide follower list. API /users/:id/followers always returns full list."

Remediation: Add follower list privacy:

ALTER TABLE users ADD COLUMN followers_list_visible BOOLEAN DEFAULT true;
ALTER TABLE users ADD COLUMN following_list_visible BOOLEAN DEFAULT true;

Check visibility in API:

async function getFollowers(userId: string, requesterId: string) {
  const user = await db.user.findUnique({ where: { id: userId } });

  if (!user.followers_list_visible && requesterId !== userId) {
    throw new ForbiddenError('Follower list is private');
  }

  return await db.user.findMany({
    where: { following: { some: { followingId: userId } } }
  });
}

Why it matters

Remediation

Add independent visibility flags to the users table and enforce them in every API route that returns follower or following lists. In src/app/api/users/[id]/followers/route.ts:

export async function GET(req: Request, { params }: { params: { id: string } }) {
  const { id: userId } = params;
  const requesterId = getRequesterId(req); // from session

  const user = await db.user.findUniqueOrThrow({ where: { id: userId } });

  if (!user.followers_list_visible && requesterId !== userId) {
    return new Response(JSON.stringify({ error: 'Follower list is private' }), { status: 403 });
  }

  const followers = await db.follow.findMany({ where: { followingId: userId } });
  return Response.json(followers);
}

Schema:

ALTER TABLE users
  ADD COLUMN followers_list_visible BOOLEAN NOT NULL DEFAULT true,
  ADD COLUMN following_list_visible BOOLEAN NOT NULL DEFAULT true;

Detection

ID: community-privacy-controls.account-control.follower-list-privacy
Severity: low
What to look for: Enumerate every relevant item. Check database schema for follower/following visibility settings. Verify each can be independently hidden. Look for API endpoints that return follower/following lists and confirm they check visibility before responding.
Pass criteria: At least 1 of the following conditions is met. Users can independently control whether followers and following lists are visible to others. API endpoints check visibility before returning lists. Default is visible, but toggles are available.
Fail criteria: Follower lists always public. No setting to hide. Lists returned via API without visibility check.
Skip (N/A) when: Never — social graph privacy is important.
Detail on fail: Example: "No setting to hide follower list. API /users/:id/followers always returns full list."

Remediation: Add follower list privacy:

ALTER TABLE users ADD COLUMN followers_list_visible BOOLEAN DEFAULT true;
ALTER TABLE users ADD COLUMN following_list_visible BOOLEAN DEFAULT true;

Check visibility in API:

async function getFollowers(userId: string, requesterId: string) {
  const user = await db.user.findUnique({ where: { id: userId } });

  if (!user.followers_list_visible && requesterId !== userId) {
    throw new ForbiddenError('Follower list is private');
  }

  return await db.user.findMany({
    where: { following: { some: { followingId: userId } } }
  });
}

Follower and following lists independently visible and revocable

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Follower and following lists independently visible and revocable

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History