Improve Repl Identity

CodingCactus · January 18, 2023, 9:54pm

I’m always happy to get bothered for valid reasons like this!

CodingCactus · January 18, 2023, 10:15pm

(to anyone looking at that typing repl to confirm the results, I have deleted the 249wpm fake runs but they did work)

mattiselin · January 18, 2023, 11:44pm

Just to make sure I understand, the steps to repro this are:

Run someone’s console program that uses Repl Identity
While it’s running, hit CTRL-C to terminate the program
Now that you’re at the terminal, you can run arbitrary code. In this case, you’re running a program that calls the API, authenticating using Repl Identity. That allows you to authenticate as the user in the identity but control the payloads being sent.

Is that correct?

bigminiboss · January 18, 2023, 11:54pm

yes, this is correct

InvisibleOne · January 19, 2023, 4:11pm

@mattiselin Yes you just have to stop the repl and then run something like

subprocess.check_output([os.environ["REPLIT_CLI"], "identity", "create", "-audience=<their repl id>"]).decode('utf-8').strip()

and copy the token it outputs. For python at least, I haven’t tried with other languages but you can probably just run the identity command directly.

Once you have their identity token you can make requests to their API with the token and the API will believe it’s coming from a certain repl, letting you change whatever data the API will let you.

bigminiboss · January 19, 2023, 4:14pm

I’ve tested this, and while I can generate a token, I, for some reason, cannot use the token from another repl. Pherhaps it’s because of anti-forwarding using CORS origin or something, I am not sure, but I remember noticing that they mentioned there are anti-forwarding measures

InvisibleOne · January 19, 2023, 4:16pm

Are you making sure to decode and strip the token? It lets me use it from another repl

bigminiboss · January 19, 2023, 4:18pm

mmm, I use the function I have, I don’t know for sure XD

InvisibleOne · January 19, 2023, 4:18pm

My Example:

Client: https://replit.com/@InvisibleOne/Token-Hack-Example-Client#main.py
Server: https://replit.com/@InvisibleOne/Token-Hack-Example-Server#main.py
“Hack”: https://replit.com/@InvisibleOne/LiveUncomfortableProperty#main.py

I can confirm that from an alt account, I can run the code to generate an Identity token, then paste that token into my “hack” script and my API doesn’t know the difference.

bigminiboss · January 19, 2023, 4:19pm

bigminiboss:

def create_identity_token(audience: str, cmd: str = "replit") -> str:
     """Create an identity token addressed to the given audience."""
     token = subprocess.check_output([cmd, "identity", "create", f"-audience={audience}"])
     return token.decode("utf-8").strip()

I used this code to test

InvisibleOne · January 19, 2023, 4:20pm

That should output the token correctly. I’m not sure why you can’t use that token in another repl.

bigminiboss · January 19, 2023, 4:21pm

oh ok, I did output it , just wrongly I guess

InvisibleOne · January 19, 2023, 4:22pm

Yeah by default it will print out with a \n attached to it, you have to remove that for it to be valid

bigminiboss · January 19, 2023, 4:22pm

oh dang it lol XD, man I gotta watch out for that

bigminiboss · January 19, 2023, 10:05pm

Hey Invis, I ended up finding what was wrong: I submitted the wrong data (that is to say, I submitted it in the incorrect format xx.xxaccuracy instead of 0.xxxx accuracy)

sonicx180 · January 21, 2023, 10:17pm

lmho (laughing my hat off idont cuss) nice job for hacking bigminiboss

bigminiboss · January 21, 2023, 10:30pm

thanks, yeah… trying tog et them to fix, don’t know if it’s still working. I can check

bigminiboss · January 21, 2023, 10:34pm

would appreciate a vote XD

sonicx180 · January 21, 2023, 10:34pm

oh, I forgot about that :D.

bigminiboss · January 22, 2023, 12:19am

@CodingCactus @InvisibleOne @sonicx180 It works now!