Official Everybody Edits Forums

Do you think I could just leave this part blank and it'd be okay? We're just going to replace the whole thing with a header image anyway, right?

You are not logged in.

Pages: 1

#1 Before February 2015

Hexagon
Member
Joined: 2015-04-22
Posts: 1,213

[Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

Hello,

Recently I have learned that PlayerIO sends passwords over the internet in plaintext which makes sense because of the UsingSecureAPIRequests option https://gamesnet.yahoo.com/documentatio … t.playerio

The method signature for calculating an authentication token looks straightforward except for the last parameter, which specifies that "The shared secret to use when generating the hash. This must be the same value as the one given to a connection in the admin panel."

What is this value? Has anyone tried to do this?

Last edited by Tako (Jul 31 2014 12:44:35 pm)

???

Offline

#2 Before February 2015

Processor
Member
Joined: 2015-02-15
Posts: 2,246

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

Basically, if you have that key,   you can log into anyone's acc without a password. So good luck with that //forums.everybodyedits.com/img/smilies/tongue

Edit: try setting that value then using quickconnect. Playerio uses the same channel for all rpc requests so it should work //forums.everybodyedits.com/img/smilies/tongue

Last edited by Processor (Jul 29 2014 6:44:57 pm)

I have never thought of programming for reputation and honor. What I have in my heart must come out. That is the reason why I code.

Offline

#3 Before February 2015

Hexagon
Member
Joined: 2015-04-22
Posts: 1,213

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

I'll have to try that, thank you

???

Offline

#4 Before February 2015

abrar11
Member
Joined: 2015-03-13
Posts: 359

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

If I get that key I can log into anyone's acc without a password. I THINK

Offline

#5 Before February 2015

Cyclone or Meredith
Guest

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

abrar11 wrote:

If I get that key I can log into anyone's acc without a password. I THINK

Yes you can login as anyone IF you have the key.

#6 Before February 2015

TiKen
Member
Joined: 2015-02-24
Posts: 298

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

If anyone find the key, please keep it for you. And tell it to the devs.

Offline

#7 Before February 2015

Cyclone or Meredith
Guest

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

tikenalpha wrote:

If anyone find the key, please keep it for you. And tell it to the devs.

Yeah the last key, was 28 chars long, and after it was changed it was prob changed to around that.

#8 Before February 2015

TiKen
Member
Joined: 2015-02-24
Posts: 298

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

Meredith wrote:
tikenalpha wrote:

If anyone find the key, please keep it for you. And tell it to the devs.

Yeah the last key, was 28 chars long, and after it was changed it was prob changed to around that.

Well that's a lot of bites. (I hope there isn't a lot of Frenchies in here...)
28 chars is already quite long no? Something around 224 bits. How would you find it? Brute force on a 28 chars key?

Offline

#9 Before February 2015

abrar11
Member
Joined: 2015-03-13
Posts: 359

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

is they key the same as the 'ClientAPI' or is that another thing

Offline

#10 Before February 2015

Cyclone or Meredith
Guest

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

tikenalpha wrote:
Meredith wrote:
tikenalpha wrote:

If anyone find the key, please keep it for you. And tell it to the devs.

Yeah the last key, was 28 chars long, and after it was changed it was prob changed to around that.

Well that's a lot of bites. (I hope there isn't a lot of Frenchies in here...)
28 chars is already quite long no? Something around 224 bits. How would you find it? Brute force on a 28 chars key?

You can't brute force it after around 10 tries PlayerIO simply just doesn't let you connect.

@Abrar the key is not used anywhere publically.

#11 Before February 2015

TiKen
Member
Joined: 2015-02-24
Posts: 298

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

Meredith wrote:

You can't brute force it after around 10 tries PlayerIO simply just doesn't let you connect.

Even without that... Say you can send a request every 10ms. You have 224 bits. No, lets say, we narrow the problem to only 112 that can possibly change > 2^112 = 5.2e33.

We have a maximum of 5.2e31 sec > 1.65e26 years. Guud luck \o/
So expect if the devs uses a key like "rootrootrootrootrootrootroot" one might have a really hard time to brute force it. Well, not if you have the hashes: you won't have the key, but might find the passwords.

Offline

#12 Before February 2015

Hexagon
Member
Joined: 2015-04-22
Posts: 1,213

Re: [Question] [PlayerIO] UsingSecureAPIRequests in PlayerIO

If I need the key, this isn't going to work.

???

Offline

Hexagon1423758094203338

Pages: 1

Board footer

Powered by FluxBB

[ Started around 1743843584.171 - Generated in 0.106 seconds, 14 queries executed - Memory usage: 1.52 MiB (Peak: 1.67 MiB) ]