You are probably already aware of this issue.
But in case not i post it here.
So i noticed in Spammie's stream that someone external manipulated a bingo session, because
random maps were getting claimed with unrealistic times.
I noticed some http requests like /claim or /team-update can be send by everyone, because the login id and map uid
can be both retrieved from trackmania.io.
I tested it and it indeed is pretty easy to manipulate running sessions by sending http post requests to the server.
Maybe a quick fix to this problem would be to simply include the session code in every of the http request Json objects and check against it on the server side?
Ofcourse this wouldn't fix the issue with missing encryption but will probably resolve the issue of random
kids manipulating streamer's game sessions.
You are probably already aware of this issue. But in case not i post it here.
So i noticed in Spammie's stream that someone external manipulated a bingo session, because random maps were getting claimed with unrealistic times.
I noticed some http requests like /claim or /team-update can be send by everyone, because the login id and map uid can be both retrieved from trackmania.io. I tested it and it indeed is pretty easy to manipulate running sessions by sending http post requests to the server.
Maybe a quick fix to this problem would be to simply include the session code in every of the http request Json objects and check against it on the server side? Ofcourse this wouldn't fix the issue with missing encryption but will probably resolve the issue of random kids manipulating streamer's game sessions.