champion-mastery-v4 incorrectly encrypts lastPlayTime when it matches numeric summoner id

MingweiSamuel commented 5 years ago

Summoner: B0Y NEXT D00R Region: LA2 Summoner ID: 40930

Request: https://la2.api.riotgames.com/lol/champion-mastery/v4/champion-masteries/by-summoner/d4lQv3Uv50MwiqXfK0SNJn7nOwLbDyumGliYNqEsMDY (app 212114, but works on any key)

Invalid response (not even valid JSON):

{
    "championId": 42,
    "championLevel": 5,
    "championPoints": 22695,
    "lastPlayTime": 153085d4lQv3Uv50MwiqXfK0SNJn7nOwLbDyumGliYNqEsMDY00,
    "championPointsSinceLastLevel": 1095,
    "championPointsUntilNextLevel": 0,
    "chestGranted": false,
    "tokensEarned": 0,
    "summonerId": "d4lQv3Uv50MwiqXfK0SNJn7nOwLbDyumGliYNqEsMDY"
}

Assuming the lastPlayTime should be 1530854093000 (Thu Jul 05 2018 22:14:53 GMT-0700 (Pacific Daylight Time))

stelar7 commented 5 years ago

related to #33 maybe?

MingweiSamuel commented 5 years ago

Another example:

Summoner: Stephen Hawking Region: OC1 Summoner ID: 328800

{
    "championId": 201,
    "championLevel": 7,
    "championPoints": 111760,
    "lastPlayTime": 15_yJ_0JSYk3zel6MY7yOYk_OrfQrUZx5RK1aKlnKIwV0x17000,
    "championPointsSinceLastLevel": 90160,
    "championPointsUntilNextLevel": 0,
    "chestGranted": true,
    "tokensEarned": 0,
    "summonerId": "_yJ_0JSYk3zel6MY7yOYk_OrfQrUZx5RK1aKlnKIwV0x"
}

1532880017000 = Sun Jul 29 2018 09:00:17 GMT-0700 (Pacific Daylight Time)

For context, this collision occurred in 2 out of ~40,000 summoners

adobito commented 5 years ago

This is our last resort security feature, which has had a few interesting side effects reported already. I have disabled it on every endpoint for now.

RiotGames / developer-relations

champion-mastery-v4 incorrectly encrypts lastPlayTime when it matches numeric summoner id #43