Duplicate of #10: New User ID Issues

[deveyNull]

For example, typing P goes through the entire process, finishes up and says "Yak Successful :)". Inputting Y demonstrates that Yakarma has gone up by 2. However, the post did not go through, nothing changed.

The same thing happens with voting and commenting, the app says the procedure was completed successfully, but nothing happened. The API hasn't been updated that recently, I was wondering if this is a problem for all users or if I am missing something.

Thank you

[djtech42]

@lay295 I will see if I can figure out the format and update the ID generation

[richraid21]

Hi all, I have successfully written a working UserID generator. Hopefully I will be able to port it from Java to Python relatively soon.

[tracehagan]

@richraid21 mind posting the Java? I'm sure there are people here who could help port it. (myself included, possibly)

[djtech42]

New version coming out soon to fix the API for the new update

[foosaur]

I was able to post with a 200 response after updating the user agent, however posts made via randomly generated user ids seem to be shadowbanned. After posting, it is returned to me in the list of recent yaks, but no one else will be able to see them.

In general, it seems the POST request signing still works as long as the user id was generated via the client, but GET request signing for upvoting/downvoting appears to be broken. That is, even with a valid user id, I will get a 401 response when trying to upvote a yak.

[foosaur]

I don't currently have the time or the right dev environment to properly reverse engineer this, but maybe someone in this thread is up to the challenge.

First get the APK from http://www.apk4fun.com/share/2240/ Plug it into this decompiler http://www.decompileandroid.com/

Request Signing The basic signing algorithm seems to be unchanged (xv.java) but the HMAC key is probably different now. It seems to be generated at wV.java based on the SHA1 hash of the package signature followed by a MD5 hash and some custom bit shift operations (xx.java).

I noticed that the post_sign_request method in API.py isn't actually signing based on the sorted query params... This might be something to correct as well.

Registration The registration should be relatively clear inside of SplashScreen.java. In addition to the original parameters, it seems like it now takes a "token" parameter which is just the userID (wtf?). The only "security" feature of the userID is that the 7th character is the same as the 6th character. You can verify that from @lay295 's list of userIDs.

[tutman96]

Hey guys. New here. Been following this issue thread. I have used a charles proxy to capture the request(s) made when the app registers for the first time. It seems as though they are using Parse.com to do their push notifications as well as user management. Whenever the app registers a new id, it first pushes it to Parse.com. It then sends a /registerUser request to the YikYak servers with the new userID.

I haven't been able to figure out the Parse api. It looks like YikYak is using an undocumented v2 api. It uses OAuth and what nots. I just haven't had the time to dig into it further.

So it seems that YikYak's servers are communicating with Parse on their end when you send a /registerUser request. It just doesn't seem to error handle correctly. If we could register an ID with Parse, then I think that it would work.

[fresh83]

There is some info on the parse creds on a reddit im a part of

[fresh83]

if someone would not mind helping me with a php getMessages function that recently stopped working i would not mind getting you the parse info .

[tutman96]

Here is the code I have that allows me to pull messages. It seems as though YikYak doesn't authenticate for getMessage. It works for now: http://pastebin.com/Bjzph6BQ

Also, I have never done anything on reddit. Would there be a way to get me on that subreddit?

[fresh83]

@tutman96 thank you sir! and as promised here is the info on the reddit im a member of , hope it helps! If you would like the info from any specific link just lmk!

So I believe to successfully post to YikYak you need to use OAuth authentication (OAuth key possibly derived from Parse?) in the header or you need to register the ID with Parse. Not sure how the parameters for initializing parse are derived (takes some internal values and turns them into the appID and clientKey). Anyway, using Dalvik Debugger in IDA 6.6 (my school provides it :D!) I found the following so far:

YikYak_b a.k.a Parse ApplicationID "wMkdjBI4ircsNcRn8mXnBkgH0dwOcrkexrdMY3vY"

YikYak_c a.k.a Parse clientKey "GbNFwvFgoUu1wYuwIexNImy8bnSlNhqssG7gd53Y"

Once again, I'm not 100% sure how these are derived but I can see the functions in which they are coming from.

I will now see how YikYak registers users for their server and Parse (will keep you guys updated if I get anything good). http://postimg.org/image/lj4k45vt3/

[fresh83]

BUT ...I do have one big issue , we had a system that was making automated requests to getMessages every 10 mins or so, they blocked our ip , we rotated ,blocked , rotated and then they did something that caused even rotating the ip not to work anymore....any idea what they could of done and how to route around it?

[fresh83]

@tutman96 things are very slow on the subreddit , the admins are not very responsive but i can see what i can do. Whats ur reddit name?

[tutman96]

That subreddit looks like it is on the right track. My reddit username is tutman96. If you could add me, that would be great! I am behind a school's IP so I don't think they would block me as that would block the whole school.

About them blocking your ip, what method did you use to rotate it? If it was an "privacy proxy" then they simply could have just blocked the whole pool.

[fresh83]

Just changed elastic ips on AWS, whats the solution to get out of this situation, a new instance? and what can we do to avoid it happening again? I tried ur code locally and it works great/super legit , but on my server its just returns nada and ill work on getting you in , its kind of slow lately ,but lots of good info in their from prior threads

[foosaur]

They are blocking all AWS IPs. You can look at various HTTPS proxies but the free ones are mostly unreliable and/or blocked. You can also check other cloud providers.

[ctrlaltdylan]

@fresh83 could you add me to this subreddit? My PHP implementation is broken now

Edit Fixed my implementation, you need to add an md5 uppercased hash of your user agent (not including the version string) to your GET parameters.

However still need to generate new user id's, trying with the pastebin code

[fresh83]

@ctrlaltdylan Email me privately Fresh83@live.com

[deveyNull]

@fresh83 , mind if I email you as well? On Jul 16, 2015 5:07 AM, "fresh83" notifications@github.com wrote:

@ctrlaltdylan https://github.com/ctrlaltdylan Email me privately Fresh83@live.com

— Reply to this email directly or view it on GitHub https://github.com/djtech42/YikYakTerminal/issues/11#issuecomment-121889952 .

[ghost]

Hello everyone , I am first time using parse.com. I am .net developer and want use parse.com with my web api project. I have downloaded one this project from https://codeload.github.com/aldenquimby/parse-csharp/zip/master. i have created parse.com account and i have AppId and RestApiKey but no any idea to completely to set up this project. if any other sample project you have please suggest me example links and videos..

[p0wer0n]

@fresh83 would you be able to get me into that subreddit? My username is p0wer0n. I have voting working for this project and want to learn more. Thanks.