Details
-
Bug
-
Resolution: Won't Fix
-
Medium
Description
You can find out what private repositories exist by brute-forcing the urls while not being logged in.
If a private repository exists you are redirectet to a login-page, e.g.:
https://bitbucket.org/account/signin/?next=/conro/test
If a private repository does not exist, you get a 404, eg:
https://bitbucket.org/conro/doesNorExist
This is a problem if the public should not know about the existance of private repository, e.g: /apple/ios7 or /valve/hl3