Jump to content

Adventure LAB API security hole


VelkyBobik

Recommended Posts

I was informed that it's possible to download LAB journals over Groundspeak API even without visiting and completing the LABs.

 

How do I know that? Yesterday I published my Adventure LABs and also a bonus cache. Most bonus caches have a quite weak formula consisting of 5 bonus numbers you get from journals so most of the time it possible to guess the final cords after visiting 3 stages or so. I wanted my LABs to be more secure against this so I added random string of 3 letters as journal to each of my LABs. After completing all labs, you put these strings together and have a long random letters string you put to certitude and there you get final coordinates. Considering there are over 15000 possible codes on every stage,  I thought I have pretty robust protection.

 

Then I saw first successful certitude answers before 3 LABs were completed by anyone. Then during the day, I saw successul certitude solvers from different parts of the country, all without completing the Adventure. I contacted one of them and he told me it's possible to get the journals content over API. 

 

My questions are:
1) why do you allow downloading journals content over API to players that did not complete the adventure? It makes no sense to me.

2) I suspect you are aware of this, so why do you not warn adventure lab creators not to put bonus numbers to journals

 

Hint for other possible AL owners that want to have more robust solution than I do: Do not put bonus number/string/whatever to journal displayed after LAB completion. Use it to ask the player to count something that is on the spot and not possible to guess from couch using fake GPS. I intentionally didn't want the players of my LAB to have to count stupid things like amount of holes in road drain, but at the moment it seems to be the only way to protect your bonus cache from being hacked.

Edited by VelkyBobik
  • Upvote 2
  • Helpful 1
Link to comment

The App receives journal before the stage is completed. Using sophisticated emulation tools there is no way to prevent revealing this information forehand. The worst the ALCO may do, is to repeat the correct answer in the journal. There is no reason to do this as it nullifies the encryption of the passcode.

 

Here is an example of safe Lab Bonus cache solution  https://www.geocaching.com/geocache/GC8Y888_kohtalo-fate-adventure-lab-bonus

Edited by arisoft
Link to comment

For an app that claims to be "online" with no intention to allow download of ALs for offline use, I wonder why journal can't be downloaded after checking whether player completed the LABs or not... But I'm not a software engineer. I just wish they stated in LAB builder something like "do not use this field for storing information to compute bonus cache final location" :-) 

 

  • Upvote 1
Link to comment
4 hours ago, VelkyBobik said:

For an app that claims to be "online" with no intention to allow download of ALs for offline use, I wonder why journal can't be downloaded after checking whether player completed the LABs or not... But I'm not a software engineer. I just wish they stated in LAB builder something like "do not use this field for storing information to compute bonus cache final location" :-) 

 

 

Bonus caches were not the original idea of ALC. It was just the way for the cache owners to make them real caches. Something that designers hadn't planned at all.

  • Helpful 2
Link to comment

Ya know, I'd guess with the existence of puzzle solution lists, there's probably at least a few people around the world likely compiling a list of solutions to ALs and Bonus final locations, just because they can. And someone who knows of the list can look up ones that are local and, well, cheaters will cheat. This 'black market', for lack of a better term, for geocaching stuff is just a big pain.

  • Upvote 1
  • Surprised 1
  • Helpful 1
Link to comment
On 10/21/2020 at 9:36 PM, VelkyBobik said:

My questions are:
1) why do you allow downloading journals content over API to players that did not complete the adventure? It makes no sense to me.

2) I suspect you are aware of this, so why do you not warn adventure lab creators not to put bonus numbers to journals

As arisoft mentioned above, this Help Center article states "If you would like to have a connection between your Adventure and Geocaching.com, you may place an optional Mystery Cache as a bonus cache for completing your Adventure." Bonus caches are not an official part of the Adventure Lab platform. Regarding the API information that is available: 

  • The API itself is indeed public because the apps need to access it from the public internet.
  • Many of the API methods are accessible for folks who are not logged in because the Adventure Lab app allows some functionality to users who have not created accounts.
  • HQ has no intention of allowing third parties to use the API. 

I hope this helps answer your questions. Cheers!

Link to comment
On 10/29/2020 at 1:56 PM, rragan said:

Unless you are local to an area, what is the gain for hacking the final location of the Bonus mystery cache since you can't go pick it up usually? People with too much time on their hands.


Believe it or not there are unscrupulous catchers out there who will log a cache they have not found and do not intend to. Yes, we are certain of this. There are many caches we have found that he claims but no signature on the log. We’ve also been contacted by COs in other states about this catchers. “If you didn’t sign the log, you didn’t find the cache.” We call people like that “drive by catchers”.

  • Surprised 1
Link to comment
On 12/30/2020 at 11:41 PM, bugsfan said:


Believe it or not there are unscrupulous catchers out there who will log a cache they have not found and do not intend to. Yes, we are certain of this. There are many caches we have found that he claims but no signature on the log. We’ve also been contacted by COs in other states about this catchers. “If you didn’t sign the log, you didn’t find the cache.” We call people like that “drive by catchers”.

 

They are also referred to as "arm chair cachers", a well known species around the globe.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...