The article's central problem
The author did not discover a new law of the internet. He renamed ordinary things
A public profile does not become a private database because a script requested it. An API does not become a hole because it was called without pressing a button. Saving a file already displayed to a user is not the same as breaching a storage system.
A category substitution.
A transport confused with a boundary.
Scale confused with the fact of access.
Evidence replaced with a dramatic story.
Likes through an API
An API that lets a participant like a public profile is doing its job
An open dating service must let a user express interest in another participant. The button on the screen sends an API request anyway. Reproducing that request with a technical client is not a magical product bypass. It is another client talking to the same server.
The real checks come next: the request must be authenticated, the actor must be active, and server limits must apply regardless of the interface. Current Mimolet reactions use an authenticated server route and are limited by plan to 60, 250, 500, or 1,200 actions per day.
So "the API can like a person" sounds alarming only until translated into plain language: "the dating service lets a user send a like." That is what the service exists to do.
Photos and S3
A displayed public photo can be saved. That is the internet, not a Mimolet breach
A public profile photo must reach the user's device or the app cannot display it. Once delivered, it can be saved through browser tools, screen recording, or a screenshot. The same is true for public content on Instagram, TikTok, Telegram, and every service that actually renders media.
A presigned URL, disabled context menu, or short link lifetime cannot revoke pixels already delivered to a screen. These controls can raise the cost of bulk collection, but they cannot make copying displayed public content physically impossible.
A publicly displayed photo is not the same thing as a public inventory of every stored object. The article creates alarm by collapsing that distinction.
Automated collection
Scraping exists everywhere. The question is cost and scale, not existence
Public pages and feeds are automated across social networks, marketplaces, search engines, messengers, and dating services. An absolute technical prohibition does not exist because automation can imitate a real user. Mature protection raises the cost through authentication, unpredictable identifiers, limits, behavioral signals, and blocking.
The historical negative offset central to the article is gone. The named feed_classic_api.php route no longer serves the product and returns 404. The current
feed returns 401 without authentication. Applying that old scenario to today's architecture is
not a current Mimolet analysis. It is a description of removed code.
Can be automated
True for every public interface.
Can be collected without limit
A separate claim that needs current API evidence.
Private data was obtained
Another separate claim, not a consequence of the first two.
History vs today
Old PHP files are not the current Mimolet architecture
The article repeatedly returns to the same routes and uses repetition to create a sense of scale. Three filenames are not three independent problems, and a removed entry point does not become the current API because its screenshot remains online.
profile_view.php404 removedfeed_classic_api.php404 removedtest.php404 removedThis does not rewrite history: a current 404 cannot prove what happened on the test date. It proves a narrower, important point - that the cited path cannot honestly describe today's product.
Sessions and bans
Multiple sessions are not session fixation, and an IP address is not a person
Session fixation is a specific attack in which a victim is forced to use an identifier already known to an attacker. Five logins from five contexts show only that multiple sessions are allowed. That is normal for phones, computers, and Telegram Web, not proof of account takeover.
The article's rigid IP-binding prescription breaks mobile networks, CGNAT, and VPN use. The current API checks blocked-user status on every authenticated request. That is the meaningful boundary. The assumption that one IP equals one person is not.
The publication's weakest section
The advertising and "unofficial accounts" story was written without access to the business
The author did not see contracts, payments, accounting records, analytics dashboards, or bank accounts. Yet profile counts, channel subscribers, and an LLC registration address were turned into conclusions about advertisers, taxes, investors, and intentionally weakened security. There is no evidentiary chain between the inputs and that story.
Registering a company in one city while developing a product from another is neither a business scheme nor a technical indicator. Geography proves no tax evasion, advertising relationship, or owner motive. It is speculation presented as investigation.
CVSS theater and the second post
Self-assigned scores do not replace attack vectors, and an Exim banner does not show Ubuntu patches
A table of 7.5, 8.9, and 8.1 looks authoritative, but scores without complete CVSS vectors, system boundaries, and reproducible impact remain the author's opinion. "Criminal prosecution," "loss of advertisers," and "payment blocking" do not follow from the technical tests, especially when the product has no advertisers.
The sequel repeated the pattern with Exim. It inferred CVE-2026-45185 from an Exim 4.97 Ubuntu banner. Ubuntu fixed that CVE through a backport in package 4.97-4ubuntu4.5. Revision .5 was installed on May 14, revision .6 on June 3, and the
post appeared on June 27. The base SMTP banner does not expose the Ubuntu package revision.
Method and presentation
Formulaic AI-style presentation amplifies drama, not evidence
Significant parts of the text look AI-generated or heavily AI-edited: repeated "severity + business impact" matrices, mechanical analogies, repetitive summaries, emoji risk levels, and dense AI-style typography. This is a stylistic observation, not proof of a specific model.
The problem is not the use of AI. The problem is when confident formatting hides missing steps: no independent sample validation, no access to business data, no full CVSS vectors, no check of the Exim package revision, and ordinary open-dating functions labeled as vulnerabilities in advance.
12,340 collected profiles do not prove the size of the entire monthly audience.
An aggregate 15-19 group cannot directly establish the share of people under 18.
Channel subscribers do not reveal contracts, revenue, or bank accounts.
Conclusion
Security requires precision. Panic requires only loud words
Like every live product, Mimolet has engineering work and continuously strengthens its defenses. But an honest analysis must distinguish public from private, possible from unlimited, legacy code from current code, and evidence from speculation.
Liking a public profile is a normal function. Saving a displayed public photo is an unavoidable property of digital content. Scraping is a market-wide risk to constrain, not something any open service can make physically impossible. Removed legacy routes do not describe the current API. Advertising, "unofficial accounts," and the allegedly vulnerable Exim package were not facts that survived verification.
Read the detailed official Mimolet responseRoute status, S3, sessions, Exim, sources, and the current product state Read the expanded public dating security guideFour layers: display, action, automation scale, and private dataMimolet, Mimolet Bot, mimoletbot, @mimoletbot, Мимолет, and Мимолет Бот are names for the same product operated by Dating LLC.
Sources and materials
- First Habr publication dated May 4, 2026
- Second Habr publication dated June 27, 2026
- Official Ubuntu Security page for CVE-2026-45185
This article reflects verified product status as of July 17, 2026.