SYS stock API flaw
-
Thread created on 13:11:14 - 30/03/22 (2 years ago)|Last replied 02:48:36 - 05/04/22 (2 years ago)Target of suggestion: Prevent scripts from using the API to bypass the ability of Syscore MFG (SYS) stock benefit to make your bounties non-traceable.
The Syscore Benefit Block prevents your anonymous bounties being revealed by the Cyber Cafe 7* special "IP Tracing".
Issue: “bountiesplaced” and “totalbountyspent” (in personalstats)are public for anyone using the api. It’s possible to create a script to monitor these two stats on a large scale and matching changes to timestamps on anonymously received bounties, allowing the user of such script to narrow down the placer of an anonymous bounty down to the player behind the bounty. This mitigates the benefit of owning the SYS benefit block. There are several scrips in existence utilizing this flaw already.
Solution: Hide the value of “bountiesplaced” and “totalbountyspent” in the API if the player has the SYS benefit active. -
-
Posted on 13:16:09 - 30/03/22 (2 years ago)Post link copied to clipboard Copy post linkNot sure where the best place for this post would be, Suggestions, Bugs & issues or here..
-
-
Posted on 02:48:36 - 05/04/22 (2 years ago)Post link copied to clipboard Copy post linkI get the reasoning behind this, but as long as the stats are available via the personal stats page, they should be available via API.
Similar scripts can be made for seeing who did a flight delay or an embargo, but like this hypothetical "figure out who did an anonymous bounty" script, there's no way for sure to know whether the person your script is telling you placed it is actually the person who did. At best it's an educated guess.
Also, wouldn't this necessitate hiding those stats on player profiles as well? -