MisterRooster
commented
1 year ago I see this seems to be connected to #7
Closed MisterRooster closed 1 year ago
MisterRooster
commented
1 year ago I see this seems to be connected to #7
Geekid812
commented
1 year ago Indeed, and a pull request on Geekid812/bingoserver#3 was just merged for this. That will be solved in a future update.
MisterRooster
commented
1 year ago Awesome 👍🏻
You are probably already aware of this issue. But in case not i post it here.
So i noticed in Spammie's stream that someone external manipulated a bingo session, because random maps were getting claimed with unrealistic times.
I noticed some http requests like /claim or /team-update can be send by everyone, because the login id and map uid can be both retrieved from trackmania.io. I tested it and it indeed is pretty easy to manipulate running sessions by sending http post requests to the server.
Maybe a quick fix to this problem would be to simply include the session code in every of the http request Json objects and check against it on the server side? Ofcourse this wouldn't fix the issue with missing encryption but will probably resolve the issue of random kids manipulating streamer's game sessions.