📚 Basecamp: Information Disclosure of Garbage Collection Cycle 'Again'

Summary : Hello team, I was recently reading the hackerone hacktivity page and saw a report (https://hackerone.com/reports/981796) which was related to information disclosure on one of the subdomain of hey.com which was https://gopher.hey.com/metrics, so I thought of reproducing the issue and at first it gave me 404 not found error but when I clicked on reload I got the access to the page again. The issue was resolved in the above mentioned report but I don't know why it is still reproducible. Steps to reproduce : Go to https://gopher.hey.com/metrics It will give you 404 not found error Click on the reload page and you'll have the access to the information on the page. Note : Related POC of the reproduction steps is attached below Information Disclosed : ``` HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles. TYPE go_gc_duration_seconds summary go_gc_duration_seconds{quantile="0"} 3.4094e-05 go_gc_duration_seconds{quantile="0.25"} 6.4066e-05 go_gc_duration_seconds{quantile="0.5"} 0.000107121 go_gc_duration_seconds{quantile="0.75"} 0.000343458 go_gc_duration_seconds{quantile="1"} 0.018565566 go_gc_duration_seconds_sum 2.313567971 go_gc_duration_seconds_count 3398 HELP go_goroutines Number of goroutines that currently exist. TYPE go_goroutines gauge go_goroutines 2717 HELP go_info Information about the Go environment. TYPE go_info gauge go_info{version="go1.14.4"} 1 HELP go_memstats_alloc_bytes Number of bytes allocated and still in... ...