I feel like I should just use this to cheat, but professional ethics (I do IT security for a living) force me to report it...  I just discovered the fact that the little dot in the upper right of messages can be right-clicked and opened in a new tab (doesn't work just to left-click it for some reason, BTW. That should be a separate bug.) to show a complete view of the map at the time the message was sent. The thing is that the associated URL comes out as something similar to:
http://www.wargear.net/rest/GetBoardImage?gameid=776578&turnid=1319
and if you just change the turnid parameter, it looks like you can view things that should be fogged.

...

Then again, I'm seeing other discrepancies between the game history view, and what's shown in the GetBoardImage page... For example, in the game listed above, if I look at turn 1422, it shows an attack by Pink from Missouri 6 (with no numbers shown) to Iowa 1 (where Blue has 3). But http://www.wargear.net/rest/GetBoardImage?gameid=776578&turnid=1423 shows both Missouri 6 and Iowa 1 as fogged.

...

Here's a better example. The game history for turn 1716 in the above game (correctly) shows Dakota Territory 7 as fogged. It was just taken by Purple. But the GetBoardImage page at http://www.wargear.net/rest/GetBoardImage?gameid=776578&turnid=1716 shows the actual number of Purple units (3) in the territory.

...

I think there's something wonky in the code that decides what to fog in the GetBoardImage REST API queries.

Could I maybe get a month or two membership boost as a bug bounty on this one? (just a thought)

Thanks

John

I can't see any of your examples with the Civil War games since I am not in it.

I couldn't replicate this in a light fog game.

I could replicate it in a medium fog game. By going to the board image through the messages there was one territory that I could see that I wasn't supposed to. When I change the ID I consistently get information on that territory - it may be because currently in the game I am able to see that territory.

So, maybe in the light fog game I could not replicate it because the game state has not changed much yet -

I just replicated in another medium fog game - I am quite sure it is pulling from the current board state in deciding what territories should be visible or not

So... It's definitely a bug, but you're not sure exactly where? Anything else I can do to help troubleshoot?

It's up to tom from here - 

Looks like the GetBoardImage REST API isn't working at all any more. It just returns a white blank image. Did he maybe disable it while he's working on this?

This bug should be fixed now, the GetBoardImage code has been patched to correctly fog the board image based on the history state for the specified turnid.

Thank you for reporting this Genghis!

Thanks tom!