It’s interesting to me that these kinds of things are not catalogued and advertised like other vulnerabilities. This is an exploitable information leak using an endpoint that many other services likely have.