Is there a security vulnerability in Substack Notes? Someone is impersonating me and altering timestamps.
A user on Reddit reported a potential security issue with Substack Notes involving impersonation and alteration of timestamps. The report highlights that certain user IDs and timestamps appear in client-side JSON payloads, raising concerns that these parameters might be manipulated to spoof post metadata such as timestamps or profile URLs. The user questions whether Substack blindly trusts these client-side parameters for rendering, which could allow attackers to backdate posts or impersonate users. The reporter has contacted Substack support but no official advisory or patch information is available.
AI Analysis
Technical Summary
The reported issue involves potential manipulation of client-side parameters in Substack Notes, specifically user IDs and timestamps included in JSON payloads sent from the frontend. The concern is that if Substack relies on these parameters without proper server-side validation, an attacker could impersonate users or alter timestamps of posts. The report is based on network traffic inspection and does not include confirmation from Substack or evidence of active exploitation. No vendor advisory or patch information is currently available.
Potential Impact
If the client-side parameters controlling post metadata such as timestamps and user IDs are not properly validated server-side, an attacker could impersonate other users or alter the apparent timing of posts. This could undermine trust in the authenticity of posts and user identities on Substack Notes. However, there is no confirmed exploit or official confirmation of a vulnerability at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The reporter has contacted Substack support; users should monitor official communications from Substack for updates. Until then, no specific mitigation can be recommended beyond awaiting vendor response.
Is there a security vulnerability in Substack Notes? Someone is impersonating me and altering timestamps.
Description
A user on Reddit reported a potential security issue with Substack Notes involving impersonation and alteration of timestamps. The report highlights that certain user IDs and timestamps appear in client-side JSON payloads, raising concerns that these parameters might be manipulated to spoof post metadata such as timestamps or profile URLs. The user questions whether Substack blindly trusts these client-side parameters for rendering, which could allow attackers to backdate posts or impersonate users. The reporter has contacted Substack support but no official advisory or patch information is available.
Reddit Discussion
Hi everyone,
I've been investigating a potential impersonation issue on Substack and decided to inspect the network traffic using Chrome DevTools during a test post.
I captured the following JSON payload from a "Feed Item Seen" event:
"Feed Item Seen","timestamp":"2026-06-26T08:58:10.559Z","properties":{"browserSessionId":"ng689erg67c","iframeVisitId":false,"surface":"profile","item_primary_entity_key":"c-282845205","item_entity_key":"c-282845205","item_type":"comment","item_comment_id":282845205,"item_content_user_id":516827667,"item_content_timestamp":"2026-06-26T00:18:48.493Z","item_context_type":"note","item_context_type_bucket":"","item_context_timestamp":"2026-06-26T00:18:48.493Z","item_context_user_id":516827667,"item_context_user_ids":[516827667],"item_can_reply":true,"item_is_fresh":false,"item_last_impression_at":null,"item_source":"db-note","item_page":null,"item_page_rank":1,"impression_id":"e5e65306-8ae1-4159-90d7-59a404463796","followed_user_count":29,"subscribed_publication_count":3,"is_following":true,"is_explicitly_subscribed":false,"note_velocity_factor":0.958026767939,"note_delay_seconds":203,"note_notes_per_hour":3964.558419,"item_current_reaction_count":1,"item_current_restack_count":0,"item_current_reply_count":0,"isTruncated":false,"is_translated":false,"isMediaTruncated":false},"context":{"client_type":"web","displayMode":"browser","page":{"referrer":"https://substack.com/@michaeldaviswrites/note/c-279510356","title":"Raido | Substack","url":"https://substack.com/@raidofuwa","height":919,"width":931},"campaign":{},"timezone":"Asia/Tokyo","screen":{"height":1080,"width":1920},"substackColorScheme":"auto","systemColorScheme":"dark"}}
And this is HTML tag I sampled from my home page.
<meta name="twitter:image" content="https://substackcdn.com/image/fetch/$s_!zOaA!,f_auto,q_auto:best,fl_progressive:steep/https%3A%2F%2Fsubstack.com%2Fapi%2Fv1%2Fprofile%2Fassets%2F516827667%2Flight%3FaspectRatio%3Dlink%26version%3D1" data-rh="true">
It looks like the system is passing raw user IDs (item_content_user_id) and timestamps directly in the frontend payload, possibly encoded in Base64.
My question for the tech-savvy folks here: Does Substack rely blindly on these client-side parameters for rendering post metadata? If someone is experiencing an impersonator who seems to "backdate" posts or spoof profile URLs, could they be manipulating these exact requests?
I'd love to know if this is just standard tracking behavior or if there's a known logic flaw in how Substack validates these server-side. Thanks!
P.S I already have contacted support.
This is my user page url: https://substack.com/@raidofuwa
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The reported issue involves potential manipulation of client-side parameters in Substack Notes, specifically user IDs and timestamps included in JSON payloads sent from the frontend. The concern is that if Substack relies on these parameters without proper server-side validation, an attacker could impersonate users or alter timestamps of posts. The report is based on network traffic inspection and does not include confirmation from Substack or evidence of active exploitation. No vendor advisory or patch information is currently available.
Potential Impact
If the client-side parameters controlling post metadata such as timestamps and user IDs are not properly validated server-side, an attacker could impersonate other users or alter the apparent timing of posts. This could undermine trust in the authenticity of posts and user identities on Substack Notes. However, there is no confirmed exploit or official confirmation of a vulnerability at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The reporter has contacted Substack support; users should monitor official communications from Substack for updates. Until then, no specific mitigation can be recommended beyond awaiting vendor response.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:vulnerability","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["vulnerability"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a3e4dd74853345fc1a742cc
Added to database: 06/26/2026, 10:00:55 UTC
Last enriched: 06/26/2026, 10:01:03 UTC
Last updated: 06/26/2026, 12:09:32 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.