Closed shalzuth closed 1 month ago
Token07
commented
1 month ago This sounds a lot like using LCU for custom data, which is allowed.
This also isn't the place to report (alleged) security issues. As stated in the README on this repo (emphasis mine):
Verify that the issue you are about to report relates to the Riot Games Developer Ecosystem and is not a game bug (for game bugs please go here).
shalzuth
commented
1 month ago This sounds a lot like using LCU for custom data, which is allowed.
This also isn't the place to report (alleged) security issues. As stated in the README on this repo (emphasis mine):
Verify that the issue you are about to report relates to the Riot Games Developer Ecosystem and is not a game bug (for game bugs please go here).
It relates to the Riot Games Developer Ecosystem because it is a bypass to the new restriction on retrieving custom game info - https://x.com/RiotGamesDevRel/status/1813983125376016853
It is not a security issue according to the security representative.
If looking up custom game data arbitrarily with LCU is allowed, why even have RSO?
Custom games are either private or they are not private. Both things cannot be true.
Policy needs to be backed by simple technical requirements of access controls.
Cypherous
commented
1 month ago That restriction only applies to the web API, LCU has always had access to custom game data and that has always been the only way to get it
The access controls are actually the same, you opt in to running an application on your PC which gets custom game access or you sign in via RSO which grants the app custom game access, in both instances the user has opted in to that data being available
shalzuth
commented
1 month ago That restriction only applies to the web API, LCU has always had access to custom game data and that has always been the only way to get it
The access controls are actually the same, you opt in to running an application on your PC which gets custom game access or you sign in via RSO which grants the app custom game access, in both instances the user has opted in to that data being available
The conflict is I can generically get any custom game data, even if a player doesn't opt-in. For instance, I could show you all the Faker practice custom games, even if Faker doesn't opt-in.
Cypherous
commented
1 month ago Yes, because you're allowing an app to run on your PC which has direct access to the league client, it has access to anything the client does and this has always been the case, i don't imagine this is going to change, this has always been the only way to get custom game information without the use of a tournament code
The policy you linked only applies to the web API, LCU has always had this access and if you want to turn your PC in to a farming machine to try and gather all custom games ever played then be my guest, its not really worth it
Ivy68
commented
1 month ago That restriction only applies to the web API, LCU has always had access to custom game data and that has always been the only way to get it The access controls are actually the same, you opt in to running an application on your PC which gets custom game access or you sign in via RSO which grants the app custom game access, in both instances the user has opted in to that data being available
The conflict is I can generically get any custom game data, even if a player doesn't opt-in. For instance, I could show you all the Faker practice custom games, even if Faker doesn't opt-in.
Can you download ARAM replays file .rofl via LCU API?
tisbells
commented
1 month ago Hi there! We're aware of this and if we need to make changes in the future, we will let the community know.
Bug Description
Using the internal API, the server action to get game info doesn't do any IAM role checks on retrieving custom game info.
Problem Description
With the new shift towards custom game privacy with RSO, this exploit lets you bypass any access restrictions.
Expected Result
401 unauthorized
Actual Result
Game data, including metadata, replays, etc, is returned.
Developer Impact
No developer impact.
Player Impact
People, such as pro players, may want to keep their custom games private.
Repro Steps
Not providing publicly. Can provide privately if needed.
Issue Comments
I submitted this through the security channel, with multiple bumps, but it is ignored.