Critical API Flaw Exposes Full Game Vote History and Session IDs Without Authentication

A critical security vulnerability has been discovered in a game server's API, exposing the complete historical dataset of player votes, scores, and session identifiers to anyone on the internet. The `/api/export/votes.csv` endpoint lacks any form of authentication, allowing uncredentialed access to download the entire export. This constitutes a full data breach of the game's operational history, directly compromising player privacy and the integrity of the game's core mechanics.

The exposed data includes all historical player votes per round, scores, session IDs, and balance changes. The presence of session IDs is particularly dangerous, as it could enable session hijacking attacks, especially when combined with other vulnerabilities like username-only reconnection flaws. Beyond the immediate security risk, the leak fundamentally violates player privacy by exposing every individual's full voting history, which undermines the expected confidentiality of the game's commit-reveal scheme.

This breach exposes PII-adjacent data and amplifies existing session takeover risks. The integrity of the game's commit-reveal mechanism is compromised, as the export reveals what every player voted both before and after the fact, stripping the system of its designed privacy and fairness safeguards. The flaw is traced to specific lines in the `server.js` and `worker.js` source files, indicating a clear oversight in access control implementation.