Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Basically, whenever you do anything on the client, be it active things like selecting a skin in champ select to random stuff like showing up as online, the "website" will send a request to its own backend/server. You can view these endpoints with stuff like RiftExplorer. Using them is documented and allowed as long as it adheres to the general Riot Developer policies and the League Client development policies and this is also how stuff like Blitz was able to import runes and summoner spells etc. I am guessing it is not allowed to show the usernames in ranked lobbies though.
In the end this is a security oversight known as excessive data exposure (OWASP - API3:2019) of Riot and as long as they keep sending this info people will be able to see it.