Bitmoji source code is accessible

hi team, I'm starting my research on snapchat by scanning all sub-domains on all the domains in-scope: snapchat.com, bitmoji.com, etc. Let's look at one of the urls, [https://rendering-service.prod.us-east.bitstrips.com/](https://rendering-service.prod.us-east.bitstrips.com/) When I request `GET https://rendering-service.prod.us-east.bitstrips.com/` The response is `403 Forbidden` After searching, I've found [/WEB-INF/](https://rendering-service.prod.us-east.bitstrips.com/WEB-INF/) & [/META-INF/](https://rendering-service.prod.us-east.bitstrips.com/META-INF/) directories, which are accessibles and allow directory listing. Inside `/WEB-INF/` we have all the .class files of bitmoji, we can download all the files. Then by using a java decompiler such as `procyon-decompiler` we reverse the .class files to make those readable. best, hermès. ## Impact Source code leaked