This club is only about the API.
If you feel that could be a security related bug you could report it, to support or the bug bounty program, but I don't think that data is an issue really.
https://support.chess.com/article/346-contact-us
https://www.chess.com/news/view/chess-com-bug-bounty-policy
Hi,
I found some information in the websocket messages during live games, I don't think should be publicly visible.
When connected to the wss://live2.chess.com/cometd websocket during a live game,
the following client information is visbile (of the two users playing):
location in message object: data.game.players[0].clientfeatures.clientname
With this information you know the android version and the exact phone model of the connected client (at least for android devices):
M2102J20SG -> Xiaomi POCO X3 Pro M2102J20SG
I hope a dev sees this and can confirm if this is intended or not.
edit: Seems to be fixed