CreatorID leaked from public content posted to SnapMaps

TL;DR - the Snap Map media responses unnecessarily return a creatorId. The creator's Snap username cannot be immediately derived from creatorId, but users can use the creatorId to correlate multiple public snaps with that creator. The impact is limited by the fact that all Our Story Snaps that appear on the map go through manual curation, ensuring that most selfie Snaps are filtered out. Snap Map, located at https://map.snapchat.com, allows users to search for curated public Snaps posted to "Our Story", by users at a chosen location. When a user navigates to a point on the map, they can click on any location, and a Snap that was posted by a user in the vicinity of that location will play. In the background several URLs at https://ms.sc-jpl.compopulate the data needed to play Snaps. One of the requests is made to https://ms.sc-jpl.com/web/getPlaylist, which responds with a JSON object. This JSON contains information pertaining to each Snap in the playlist, such as the duration, and snapInfo. Examples of data in snapInfo are the creatorId, and the mediaUrl, which are a UUID pertaining to the user who uploaded the content, and an app.snapchat.com URL, which contains the content. Of the returned fields, the creatorId is not necessary for normal Snap Map operation and does not need to be disclosed. Note that while the user identity cannot be directly gleaned from the creatorId, the disclosure of creatorId in the response from https://ms.sc-jpl.com/web/getPlaylist may allow a user to correlate Snaps on the Snap Map with a single user. This in turn, may allow a user to potentially enumerate that user's public content, by searching for content containing that specific creatorId. While not a direct leak of user information, the inclusion of the creatorId in the response was unintentional and unnecessary. At Snap, we value privacy highly and thank the reporter for bringing this to our attention.