Family Tree - Geni

Log In

Email:

Password:

visibility

Don't know your password?

Security Code:

Trust this computer

Log In with Facebook

Reply |

Start a new discussion topic

Developer Forum » Use of API. A massive security breach?

Started by Private User on 4/29/2018

Displaying all 5 messages

	Private User 4/29/2018 at 8:35 Report	I saw a conversation in a Facebook group, that some Geni users are doing mass updates on to profiles in order to curate the data. This raises some concerns. How does Geni protects users that have created hundreds or thousands profiles, that this feature is not being used by someone from accidentally or for purpose ruining the tree/profile? What if malicious updates are being done. How can user know about such vandalism and how can one restore it's profiles into previous state if this feature is misused? Some edits can be opinionated and cause confusion in Geni collaborators. Could you please explain the logic behind use cases of API usage.
	Juha Mustonen (Geni Curator) 4/29/2018 at 10:55 Report	For clarification: "the Geni users" Keijo is referring to above is, I believe, just me. I have been doing some mass corrections to (mainly) Finnish profiles. No one has actually complained about the changes itself: correcting use of all caps, expanding abbreviations in patronyms, moving mislocated patronyms, adding missing countries etc. The changes have now been communicated to members of most populous Geni related Finnish Facebook group. Keijo is expressing above his concerns about the possible misuse of the API in general, I think. Please correct if I misinterpreted your intentions, Keijo.
	Private User 4/30/2018 at 7:54 Report	It is true, that Juha was the one bringing this possibility into my knowledge. For me this kind of activity sounds very dangerous and is prone to errors or vandalism. Even if the information is public, it is not acceptable reason to allow any registered user to modify profiles thru API. Permission to modify profiles should be limited to profiles that user is managing or collaborating with. If mass updates are allowed it should require elevated permissions or at least collaboration request. Nowadays anyone can edit anyones information. I cannot understand the logic behind all this.
	Private User 4/30/2018 at 8:47 Report	As far as I understand use of the API to mass update the profiles is against Genis Privacy Policy: Who can edit (Public) profiles? Your Collaborators, Your Family Group, Geni Curators, Geni Employees https://www.geni.com/company/privacy Bots that are able to run mass updates doesn't belong to any of these groups.
	(en) Jouni Ilari Konttinen 9/5/2019 at 5:03 Report	they are not bots, they are users. if user uses a software to mass update, those are still always user-linked actions. user can edit what user can edit. (family profiles, collabs profiles, groups profiles.. any public profile which is connected to user.) i think that is not a big problem, user doings in tree already have some kind of undo, i think..

English (US) eesti Svenska Español (España) Français עברית Norsk (bokmål) dansk Nederlands Deutsch »

rails-1a-001