How are 1200 slots disappearing in microseconds

[nikhiltalreja]

3-4 digits slots disappearing in microseconds of listing.

This is the scenario observed many times-

1. Slot gets listed, at 0 second
2. Telegram service notifies everyone + 1 second
3. User waits for OTP, + 2/3 seconds
4. Slots are already over
5. User cannot find the slot

this is absolutely not normal behaviour, technology absolutely Not To the rescue

The api used by telegram service is certainly not public api, they are somehow using the protected one.

Even then this is not helpful.

Who is consuming these slots so fast?

Is the Hosptal / Center uploading a bulk sheet with beneficiary id? As this option I have heard is given to some corporates for employees for internal mapping.

[nikhilms1995]

Which telegram service have you registered for?

[nikhiltalreja]

Honestly, not sure, it’s some service. There were so many. So this one doesn’t have a brand.

On Tue, 25 May 2021 at 5:22 PM, Nikhil M S @.***> wrote:

Which telegram service have you registered for?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cowinapi/developer.cowin/issues/344#issuecomment-847804074, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUDIZF4ZJCXRJFZG5HF3R4TTPOFRTANCNFSM45OXHOCQ .

[prateekgo]

https://campsite.bio/vaccine.alerts https://under45.in/

[nikhiltalreja]

There are so many districts. Is this made by you

-Nikhil

On 25-May-2021, at 8:16 PM, Prateek Goel @.***> wrote:

 https://campsite.bio/vaccine.alerts

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[prateekgo]

There are so many districts. Is this made by you … -Nikhil On 25-May-2021, at 8:16 PM, Prateek Goel @.***> wrote:  https://campsite.bio/vaccine.alerts — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

no. just subscribing to it.

[siddhesh1770]

3-4 digits slots disappearing in microseconds of listing.

This is the scenario observed many times-

1. Slot gets listed, at 0 second
2. Telegram service notifies everyone + 1 second
3. User waits for OTP, + 2/3 seconds
4. Slots are already over
5. User cannot find the slot

this is absolutely not normal behaviour, technology absolutely Not To the rescue

The api used by telegram service is certainly not public api, they are somehow using the protected one.

Even then this is not helpful.

Who is consuming these slots so fast?

Is the Hosptal / Center uploading a bulk sheet with beneficiary id? As this option I have heard is given to some corporates for employees for internal mapping.

Currently all the Telegram, Twitter, Whatsapp bots are made using Public API only.

[Ajax-Light]

Just about to comment on this.. This is outrageous!! They have a "Public API" which needs a User-Agent Hack to even allow automated scripting. On top of somehow making things work and getting an alert, the slots are booked within like a second. How is this possible if not by a automated script? Either someone has access to the restricted "API" or this is a scam and people are booking these slots far in advance within the Hospital / Government.. And now they're trying to ban Netflix and Twitter... God Help Us.

[shyamal890]

I frankly believe there is something wrong with the APIs or the vaccine centers are doing some mischief. We too are noticing this at www.smarttask.io/vaccine

[dheerajjoshim]

Yes. This entire online booking scheme looks like a scam. This is just like IRCTC booking fiasco.

Within a second all 100 slots gets filled. And especially only 18-44 slots gets filled. May be some one/hospitals has access to internal API's?

[siddhesh1770]

Yes. This entire online booking scheme looks like a scam. This is just like IRCTC booking fiasco.

Within a second all 100 slots gets filled. And especially only 18-44 slots gets filled. May be some one/hospitals has access to internal API's?

No private entities has access to Private API. Slots are getting booked in seconds because many people are using bots to book the same, some are using Chrome extension called CoWin Bot while some are creating own using Python.

[Bhartendu-Kumar]

I think it is because of the fact that the cowin home page showing the slots (the without login one) and the public apis are cached up to 30 minutes (see #40 ) and so 2 things might happen:

1. humans actually logged in into cowin portal have a 30 minute benefit, they can spread the word if slot found empty and all can get booked
2. bots capable of contacting private apis (which there are like this Twitter one ) might have a 30 minute advantage and that's it

personally i am seeing the bots connecting to private apis as the culprit here

[safiyat]

@Bhartendu-Kumar I have a bot running which queries the private APIs (refer https://github.com/cowinapi/developer.cowin/issues/365).

I am observing the same behavior (of slots getting consumed in seconds) using private APIs as well.

My guesses are:

1. Some (or most) of the slots being shown are pre-booked, by private entities like hospitals and companies providing vaccines to their employees et al.
2. People indeed have been able to get around the whatever flimsy hoops that are there in the app and able to book in an automated fashion.

[Bhartendu-Kumar]

@safiyat

can you please share how you are getting the tokens that are changed every time with API call, and how are you encoding and hashing? Thank you for the help

And, yes Private apis also I was suspecting same issues. because

1. I visited vaccination center in my area and there they are providing vaccination to people not having a booked slot (though no partiality here, you need to walk in and get slot on center), yet the same time, when the vaccination authorities said they will on the spot book 100 people, the cowin portal was showing "BOOKED" status for the center

2. And yes for sure, there have been ways people are automating the complete pipeline from OTP to captcha.

But how? for automated OTP sending to script you need ITFFF or twilio installed. So are there every customer installs those? If not, then session will expire in 15 min. Or are they able to get away with session expiry?

[safiyat]

@Bhartendu-Kumar I have gotten it to work over weeks of hit and trial and other guesses.

The tokens don't change with every API call. The tokens are valid for 15 minutes. So, I request a new one using OTP every 12-14 minutes.

I am using python, so, I use the following to encode and hash the received OTP to receive the bearer token.

# otp is a string.
hashlib.sha256(otp.encode()).hexdigest()

I guess everyone is automating their OTPs like that. There are some bots (and browser extensions) that some of my non-techie friends have used, but I have not looked at them yet.

I do not think one can get away without session expiry, unless they have API keys. And, no one has API keys.

[karsumit94]

https://github.com/cowinapi/developer.cowin/issues/355 I think this CAPTCHA vulnerability is the main reason why the slots are getting booked so fast.

[dileepps]

1.) Bots ( programs and browser extensions) 2.) There are special access for hospitals and vaccination center. 3.) Something which I don't know😊