Privacy Policy

This is nothing more than a simple page to disclose extension/website privacy policies to everyone including Google, the biggest tracking company in the world. In other words, it's here to guarantee that neither the extension nor the website collects more data from you than what's needed.

Discord OAuth2

The only OAuth2 system scope requested is identity, which grants access to the logged user's basic Discord account info (e.g username, display name and avatar). Such data is required for identifying you, the player, and thus applying needed processing and database changes.

Browser extension

Riddler collects webpage data (i.e URLs, status codes and, occasionally, folder-specific credentials) by intercepting HTTP requests while players browse the catalogued external riddle websites — and only in those. Starting on version 0.6, such whitelisting works by filtering every request against this list of valid hosts. As such, no browsing history or sensitive data from any other websites are sent to https://riddler.app at all.

The extension requires two manifest permissions to properly function:

  1. webRequest: to intercept the aforementioned page/file HTTP requests.
  2. webRequestAuthProvider: to implement the onAuthRequired listener, which allows the extension to cancel the browser's default auth box and present Riddler's custom proxy credentials box in its place.

Riddle credentials

Starting on version 0.5, Riddler implements its own custom auth box. By itself, the interface works essentially by embedding the provided username/password as part of the URL. The box, therefore, is merely a helpful proxy, and the same result can be achieved if the user directly adds the user:pass@ component to the address bar's URL, like so:

https://user:pass@riddledomain.com/folder/page.htm

https://riddler.app then receives the extension-sent URL, parses the required credentials, and applies the needed procedures.

Regarding the rationale for an in-house handling of credentials:

  1. To display the fabled flavored realm messages, long gone since all the major browsers decided to hide those, starting years ago. Several old riddles dealt with this nuisance by applying their own solutions (from tooltips to alert dialogs to simply ignoring them altogether); Riddler solves the issue in the definitive way.
  2. To allow folder passwords to be shown as plain text and not merely a bunch of ●●●●● — the latter unnecessary due to their unsensitive nature and prone to common typing mistakes.
  3. To autofill cloud-saved credentials, thus removing the need of users relying on password managers and the annoyance of losing those when moving across browsers/PCs.
  4. To certify players have actual access to the locations they're visiting (as, previously, password-protected pages could be exploited and marked as accessed just by masking the extension-sent 401 code as a 200, even if said player hadn't gotten credentials for that folder yet).
  5. To harvest new username:password pairs for us.
  6. Because the custom box looks prettier.

Wrong credentials don't get sent to https://riddler.app at all, thus nullifying the risk of users mistakenly submitting e-mail addresses, personal username/passwords, etc.

In the extraordinary cases of actual real auth involved (e.g the final Notpron levels), none of the above points hold, and the system intentionally falls back to the usual vanilla mechanisms.

By using Riddler — extension, website and bot — you hereby consent to our privacy policy and Riddler's (small) usage of your data.

― Riddler, 2025