This write up doesn’t make sense. Authenticated users are the ones without a Set-Cookie? Surely the ones with the cookie set are the authenticated ones?

There are dozens of contradictions, like first they say:

“this may have resulted in potentially authenticated data being served to unauthenticated users”

and then just a few sentences later say

“potentially unauthenticated data is served to authenticated users”

which is the opposite. Which one is it?

Am I missing something, or is this article poorly reviewed?

I'm curious if having unique URLs per user session would mitigate this.

I think that's already best practice in most API designs anyway?

Almost three years ago now, Railway poached one of our smartest engineers. They were smart to do so. I have a lot of respect for the Railway team and I’m impressed with their execution.

I think this is their first major security incident. Good that they are transparent about it.

If possible (@justjake) it would be helpful to understand if there was a QA/test process before the release was pushed. I presume there was, so the question is why this was not caught. Was this just an untested part of the codebase?

Data was leaked and they're calling it accidental CDN caching...