Wallace had left his username, email, and a plaintext password in the code—twice.
There is no authentication for any of the application programming interface calls, so someone could spoof any user—essentially giving them administrative access to the API.
All of the APIs are clearly defined as URLs in the source code.
By using the “Get user by ID” API call, someone could retrieve the user name, email, ban status, and other details on each user account.
Passwords were not in this data, but the entire user database could be retrieved by iterating through all the possible first letters or digits of an account ID.
Any user could be blocked using an HTTP Post to the “block” API.
Source: “Yelp, but for MAGA” turns red over security disclosure, threatens researcher | Ars Technica