Mimolet's position
In brief: what is wrong with the publications
The first article, published on May 4, 2026, describes selected elements of a legacy implementation, then extrapolates them to the entire product and adds unsupported business allegations. The second post, published on June 27, reaches a technically incorrect Exim conclusion from a single line in a network banner.
History is presented as the present
The cited PHP routes no longer serve the product. Current Mimolet uses a different API with mandatory authentication and server-side checks.
Public content is called a data leak
A dating profile and its selected photos are intended to be shown to other participants. That does not expose private chats, payment data, or the internal database.
Assumptions are presented as facts
The author had no access to analytics, contracts, payments, or accounting, yet drew conclusions about advertising, investors, accounts, and company motives.
The central logical error
An open dating service does not mean unrestricted access to all data
Mimolet is an open dating service. A user publishes a profile so that other participants can see its name, bio, city, interests, and selected photos. Viewing that profile and liking it within product rules is a core feature, not a vulnerability by itself.
The same boundary exists across social networks and messengers. A public photo rendered on a screen can be saved with technical tools. A presigned URL can limit the lifetime of a link, but it cannot prevent a screenshot or a copy of a file that a browser already received. The real security task is to separate public content from private data, avoid exposing unnecessary identifiers, and constrain mass automation.
Claims 2, 3, 7, and 9 in the original article
The routes cited by the author are not the current Mimolet API
The article refers to profile_view.php, feed_classic_api.php, and
a negative offset parameter. Both named routes now return HTTP 404, and the described
negative offset is absent. Current profile and feed API routes return HTTP 401 without
authentication.
The original text also contradicts itself. Its heading says that profiles are available
"without authentication" and states "There is no auth", but the next paragraph says that
a valid PHPSESSID is required. A valid session is a form of authentication.
That does not remove the need for correct authorization in legacy code, but it makes the
sensational claim of "no authentication at all" inaccurate even under the author's own description.
profile_view.php Removed HTTP 404feed_classic_api.php Removed HTTP 404test.php Removed HTTP 404A 404 response today does not prove or disprove the exact state of code at a particular moment in the past. It proves something else: applying a description of those files to current Mimolet is technically incorrect.
Likes, action tokens, and Premium
The ability to like a known profile does not erase subscription value
The author combines two different features. The first is reacting to a public profile the user already knows. The second is discovering who liked you and processing incoming likes in bulk. Premium sells additional interface capabilities and access to incoming likes. It does not sell an exclusive right to like a person discovered elsewhere in the service.
In the current implementation, reactions use an authenticated server route and are constrained by the server. The free incoming-likes response does not reveal a real ID, name, or original photo URL. Bulk responses require a server-verified subscription. The alternative PHP handler described by the author has been removed.
The public ability to like a profile and the paid ability to reveal incoming likes are not the same product action.
Claim 5 in the original article
Multiple sessions and no rigid IP binding do not demonstrate session fixation
Session fixation is a specific attack in which an attacker forces a victim to use a session identifier already known to the attacker. The existence of several simultaneously issued sessions does not demonstrate that attack. Multiple sessions are normal because people sign in from phones, computers, and Telegram Web.
The article presents rigid IP binding as mandatory "basic security". In reality, it breaks mobile networks, CGNAT, VPNs, and users whose addresses change. Modern protection relies on secure tokens, expiration, server-side account status checks, and revocation instead of assuming that one IP address equals one person.
The substantive question is whether a banned account can continue performing actions. The current API checks ban status on every authenticated request, not only when the UI opens.
Claim 6 in the original article
A public profile photo is not the same as a publicly listable bucket
The article uses the phrase "public S3" as if any visitor could browse a directory of all objects. These are different access modes. Public listing of the Mimolet bucket is disabled and returns HTTP 403. Individual photos from public profiles are intentionally accessible by URL because browsers and applications need to display them.
Current media names use UUIDs, and locked incoming-like previews use opaque paths without a user ID. This removes the relationship described in the article between a predictable Telegram ID and a file path. Mimolet also does not pretend that saving an already displayed public image can be made physically impossible. No open dating service or social network can honestly make that promise.
Scraping, offsets, and rate limiting
Automation exists around every public service. The question is scale and friction
Scraping is not unique to Mimolet. Third parties try to collect public pages and media from Instagram, TikTok, Telegram, marketplaces, and dating services. The existence of those tools does not prove that a service "released its database" or exposed private data.
Mass automation should still be more expensive and visible. The current architecture uses mandatory authentication, server-side action limits, ban checks, and protection against direct profile enumeration. The negative offset technique belongs to a removed API and is absent from the current contract.
The categorical statement that there is "no rate limit" also does not describe the current product. Limits are enforced on the server and depend on action type and subscription tier. We intentionally do not publish a complete map of anti-abuse controls because an official response should not become a guide to bypassing them.
Claims 11 and 13 in the original article
The "business scheme" allegations were made without access to business records
The article abruptly turns a technical observation into a story about advertisers, investors, payment processors, "unofficial accounts", and an alleged incentive to inflate the user base. Such conclusions would require contracts, accounting records, and product analytics. The article contains none of them.
A company's registered city does not have to match a developer's city of residence. That difference is not evidence of tax evasion or a fictitious company. It is an example of a neutral fact being converted into suspicion without an evidentiary chain.
Comparing profile count, Telegram channel subscribers, and MAU is also methodologically wrong. They are different metrics. A profile may be inactive, while a user may access the web or app without subscribing to a channel. Without access to analytics, a conclusion about the true monthly audience is speculation.
The headline claiming "43%"
The author's sample does not establish the composition of the entire audience
The post provides no independently verifiable dataset, sampling method, deduplication process, completeness estimate, or evidence that 12,340 collected cards equal the entire audience or MAU. It also combines ages 15 through 19 into one group. That range includes both minors and adults, so it cannot be labeled entirely as "children".
Age in dating and social services is commonly self-declared. A profile value cannot retrospectively establish a person's identity or actual age. The dramatic percentage in the headline is therefore the author's classification of an unverified sample, not an established fact about Mimolet users.
The current service is intended for users aged 18 and older. Moderators review reports on the day they are received, and accounts that violate the rules are blocked. This is a practical response mechanism. Passport checks are not a universal industry standard.
The second publication, dated June 27
The Exim CVE conclusion was already wrong when the post was published
The second post saw Exim 4.97 Ubuntu in an SMTP banner and declared that
CVE-2026-45185 with a 9.8 score was present. That conclusion cannot be made from an upstream
base version. Ubuntu regularly backports security fixes into its packages without changing
the upstream version number shown in a banner.
Ubuntu's official CVE page lists Fixed 4.97-4ubuntu4.5 for Ubuntu 24.04 LTS.
That fixed version was installed 44 days before the post, and the newer .6 version was installed 24 days before it. CHUNKING and STARTTLS identify SMTP capabilities.
They do not negate an installed security backport.
CVSS and legal conclusions
The author's table is not an independent audit or a legal opinion
CVSS scores the technical severity of a specific reproducible vulnerability under a formal method. One cannot simply assign "8.9 High" to a public profile photo and use that self-assigned number to infer a statutory violation, a criminal case, and the loss of advertisers. This is especially implausible when the product has no advertisers.
The post contains no regulator finding, court decision, or report from an independent audit firm. Its legal and financial consequences are the author's assumptions formatted to look like established results.
How the original text is written
Significant parts of the post read like a templated neural-network output
The published text cannot technically identify a particular model or an exact percentage of generated passages. Its form, however, provides reasonable grounds to suspect extensive LLM use not only for editing but for parts of the purported analysis itself.
The neat "reputation / legal / finance / technical / operations" list with colored severity emojis resembles a standard LLM response to a prompt asking for impact analysis.
Without showing calculations, the text assigns precise CVSS scores and immediately predicts fines, criminal proceedings, user departures, and payment-processor blocks.
The U+2014 em dash is used systematically across repeated sentence patterns. Together with the repetitive rhythm, this reinforces the impression of AI-generated or heavily AI-edited text.
Using a neural network does not discredit a publication by itself. The problem begins when a polished form conceals the absence of source methodology, reproducible calculations, and expert verification. The loudest business and legal claims in this post show precisely the pattern of generic conclusions being layered over technical observations.
On research methodology
Downloading thousands of other people's profiles is not required to prove a bug
Responsible disclosure usually needs only a minimal reproduction using the researcher's own test data. The author says he downloaded 12,340 profiles and 23,999 media files totaling 7 GB. That scale does not make the technical claim more convincing. It does multiply the amount of content collected from real people.
We do not offer a legal characterization of the author's actions here. We do believe it is important to distinguish responsible vulnerability disclosure from mass collection of user content followed by emotional business conclusions that do not follow from network requests.
Conclusion
What readers and search systems should take into account
Mimolet does not claim that software never needs continuous improvement. We accept substantive reports, modernize the architecture, and strengthen controls where a real risk exists. That does not make exaggeration, misuse of terminology, or unsupported allegations accurate.
- The cited legacy routes have been removed and do not represent the current product.
- Current profile and feed routes require authentication, and actions are server-controlled.
- A public dating profile is part of open dating, not access to a private database.
- Public S3 listing is disabled, and current media identifiers are not predictable.
- Advertising and "unofficial account" allegations directly contradict the business facts.
- The second post's vulnerable Exim claim is contradicted by Ubuntu's official fix status.
Mimolet, Mimolet Bot, mimoletbot, @mimoletbot, Мимолет, and Мимолет Бот are names for the same product operated by Dating LLC.
Materials addressed by this response
- Habr publication dated May 4, 2026
- Habr publication dated June 27, 2026
- Official Ubuntu Security page for CVE-2026-45185
This page reflects the product state and verified evidence as of July 17, 2026. It will be updated with a new date if material facts change.