Unauthorized Disclosure of Private Emails via WakaTime Private Leaderboards

## Summary: WakaTime allows users to create private leaderboards and invite others to join. However, once a user accepts the invite and joins the leaderboard, their private email address becomes visible to the leaderboard creator or other members, even if the user has not chosen to make their email public. This bypasses intended privacy controls and could be exploited to harvest emails of unsuspecting WakaTime users. ## Steps to Reproduce: 1. Sign in to WakaTime.com and create a new private leaderboard. {F4630919} {F4630942} 2. Invite another WakaTime user to join the leaderboard using their WakaTime username or public profile link: {F4630944} 3. Have the invited user accept the invite and join the leaderboard. 4. Once joined, visit the leaderboard page and observe that it contains their emails despite of them setting it as private: {F4630953} ## Observed Result: You can view the email address of the invited user in the leaderboard data or UI, even if their email was never made public in their settings. ## Impact - Violation of user privacy expectations and configurations. - Could be used for email harvesting or targeted phishing. - Low barrier to exploitation: any user with an account can create a leaderboard and bait others to join. - GDPR/CCPA risk due to unconsented exposure of personally identifiable information (PII). ## Expected Behavior: - Users' email addresses must remain hidden unless they have explicitly chosen to display them publicly. - Leaderboards should only display public data, not private or sensitive identifiers like email addresses. ## Recommendations: - Ensure that private fields (like email) are never included in leaderboard-related responses unless the user has opted in to show them. - Perform a privacy filter before returning leaderboard member data to clients. - Add a notice or confirmation prompt when joining leaderboards about what information will be visible to other members.