Hide certain sensitive fields from the /player endpoint if the player has their last login private

[niqumu]

If a player has set their last login and status information to private, certain sensitive fields from the /player endpoint that can be used to approximate their last login should be hidden as well.

Some notable examples I've found:

• player/network_update_book can be used to determine the last version of the network that a player has logged onto. This can be used to approximate when the player has last logged in. If this value changes right when the version changes, it is obvious to any abusive observer that the account is active.
• player/lastAdsenseGenerateTime and player/lastClaimedReward both give timestamps to when the player last claimed their daily rewards. If the player has a habit of doing these every day, this can be used to track days where the player is active.

If someone has their status set to private, it is obvious they are not comfortable with this information being accessible. I believe that these fields should not be publicly visible if the player has chosen to disable their last login information in the API. Players who work very hard to avoid tracking also tend to avoid being in a guild (as guild EXP history can reveal activity), yet these fields may still leave certain players vulnerable.

Please reply if anyone is aware of any other fields that may also reveal sensitive information in this manner

[mdashlw]

this is why we can't have nice things