AniDB

I can easily change the "uid" param in the URL below to some other users id. Don't get a display of his mylist, but i get his nickname. Could be that it's possible to start something with that information then.

http://anidb.ath.cx/perl-bin/animedb.pl ... &uid=38000

You can see his list, actually. It's just empty.

The username isn't worth much really, so unless you have a concrete idea where to use it in an attack, I don't see a problem in showing it.

Btw - that's no bug. Every user who wants to can decide to completely hide his list and stats in the profile. By default, only guest access is pretty limited while other members can read one's list. With permissions set properly, you can avoid having your list shown. Try this one:
http://anidb.ath.cx/perl-bin/animedb.pl ... ist&uid=64

You can navigate the userlist to see who may have a public mylist.

Feel free to click the 'www' button in the bar below to breach my security.

Rar