If you access a component without the ".load" extension, it automatically uses the "generic.load" view which is a BEAUTIFY of all the returned data. So since my data included an auth_user record, all the auth_user fields were displayed in the browser window, including the password (encrypted, but still!).
Are there any other situations where manipulating the extension or URL can lead to data disclosure like this? Is it a best practice to lock down queries by only selecting fields that you need? I guess ordinarily it is suggested to avoid "select *" so maybe that's what I need to do.
