search

Terbau / fortnitepy

Async python library for interacting with Fortnite's API and XMPP services.
MIT License
146 stars 52 forks source link

Fixed XMPP message "vulnerability" #152

Closed ThisNils closed 3 years ago

ThisNils commented 3 years ago

Fortnitepy doesn't check if an XMPP message was actually sent by epic.

That way you can send the bot a MEMBER_KICKED xmpp message and make it think that it got kicked from its party which makes it leave its party. So basically, you can kick the bot from its own party. Example

But there's also much more you can do such as messing up the bot's friend cache by sending FRIENDSHIP_REMOVE, Friend, etc XMPP messages, spamming fortnitepy errors, messing up the bots party, and probably many other things.

Oh and btw, this does not break friend messages or presences.

xMistt commented 3 years ago

+vouch TERBAU ADD THIS

Terbau commented 3 years ago

Thanks for the pr. It will be pushed in a hotpatch very soon :)