I’m always happy to get bothered for valid reasons like this!
(to anyone looking at that typing repl to confirm the results, I have deleted the 249wpm fake runs but they did work)
Just to make sure I understand, the steps to repro this are:
- Run someone’s console program that uses Repl Identity
- While it’s running, hit
CTRL-Cto terminate the program
- Now that you’re at the terminal, you can run arbitrary code. In this case, you’re running a program that calls the API, authenticating using Repl Identity. That allows you to authenticate as the user in the identity but control the payloads being sent.
Is that correct?
yes, this is correct
@mattiselin Yes you just have to stop the repl and then run something like
subprocess.check_output([os.environ["REPLIT_CLI"], "identity", "create", "-audience=<their repl id>"]).decode('utf-8').strip()
and copy the token it outputs. For python at least, I haven’t tried with other languages but you can probably just run the identity command directly.
Once you have their identity token you can make requests to their API with the token and the API will believe it’s coming from a certain repl, letting you change whatever data the API will let you.
I’ve tested this, and while I can generate a token, I, for some reason, cannot use the token from another repl. Pherhaps it’s because of anti-forwarding using CORS origin or something, I am not sure, but I remember noticing that they mentioned there are anti-forwarding measures
Are you making sure to decode and strip the token? It lets me use it from another repl
mmm, I use the function I have, I don’t know for sure XD
I can confirm that from an alt account, I can run the code to generate an Identity token, then paste that token into my “hack” script and my API doesn’t know the difference.
I used this code to test
That should output the token correctly. I’m not sure why you can’t use that token in another repl.
oh ok, I did output it , just wrongly I guess
Yeah by default it will print out with a
\n attached to it, you have to remove that for it to be valid
oh dang it lol XD, man I gotta watch out for that
Hey Invis, I ended up finding what was wrong: I submitted the wrong data (that is to say, I submitted it in the incorrect format
xx.xxaccuracy instead of
lmho (laughing my hat off idont cuss) nice job for hacking bigminiboss
thanks, yeah… trying tog et them to fix, don’t know if it’s still working. I can check
would appreciate a vote XD
oh, I forgot about that :D.