search

HypixelDev / PublicAPI

Official Java implementation of the Hypixel Public API.
https://api.hypixel.net
MIT License
540 stars 152 forks source link

Community upgrade monetization data inadvertently exposed in API? #674

Open lunaynx opened 4 days ago

lunaynx commented 4 days ago

I've been told that Hypixel generally prefers to refrain from exposing any monetization data in their Public API, such as things related to SkyBlock Gems, Fame Rank, etc.

I couldn't help but notice that the /v2/skyblock/profile endpoint exposes information about whether a player has fast-tracked a Community Shop profile upgrade, which is only possible by spending SkyBlock Gems (redactions mine, the API provides unredacted data):

[...]
  "profile": {
    "profile_id": "[redacted]",
    "community_upgrades": {
      "upgrade_states": [
        {
          "upgrade": "minion_slots",
          "tier": 1,
          "started_ms": [redacted],
          "started_by": "[redacted]"
          "claimed_ms": [redacted],
          "claimed_by": "[redacted]",
          "fasttracked": true
        },
[...]

In particular, the fasttracked key, but claimed_ms can also be used to deduce this information.

DuckySoLucky commented 4 days ago

this is why we can't have nice things.