
Access private list metadata - AATAR
https://hackerone.com/reports/178506
======
AATAR
The thing is, this endpoint shows any list as visible: true. You need some
other source of truth to verify the actual value of the flag. I use
/api/v2/lists/10 for this purpose, but you can look directly into the
database.

