RoCate: A new way of finding quality games

https://discord.rocate.app/ is down btw, it6 does not put me on any page, just tells me that " This site can’t be reached", so I think you should, of couse, fix that page and add a 404 message.

Edit: I see you have one, but not for sub domains:

Ok everyone, feeling better today so hopefully TrackMesh will be up by tomorrow! Thanks for your patience. :slight_smile:

2 Likes

Discord link issues have been fixed.

2 Likes

Does this site have a privacy policy on how you as a team, TrackTech, manage our data, or what exactly our emails are used for, etcetera?

1 Like

It’s actually there but there is a bug atm where it’s transparent. Working on a fix

1 Like

IMPORTANT
A bug has been found that causes only a few games of our library. We are working on a fix and will update you once we have found one.

1 Like

do not use this i have found a vunr in their website they pass your password to a api if someone intercepts this they have your password. its called a man in the middle attack, website not even secure with encryption, website will get hacked and your password at some point be careful! also found 2 ports open 53/tcp - open and the rtmp port open website is not secure at all, gold mine for hackers! fix this asap the hacker can send large amounts of data to port 53 to crash the server, the owner blocked me on discord i tried to report the bug so here i am reporting it on here

3 Likes

How will it get my pass? I did not even give them my pass, not even my username.

when you signup it sends a POST request with your password in the header hackers can get access to this and steal your password, all passwords should be encrypted

Good thing I did not log-in lol

yep, attackers could also setup a bruteforce program (since its a open api with no encryption) that could guess your password once it has it can then try and login to your other accounts for example spotify

The website is secured with HTTPS, data will be encrypted before they leave the website and are transferred to the api. Further more, if this is seen as “insecure” I wonder how you would deal with websites like Discord, ROBLOX, Spotify, etc who basically do the same. We encrypt the data on the back-end to make sure that the data stays save. If we were to do that on the client side, people can easily reverse-engineer that and eventually get the encryption key so that would only be a waste of time. Further more, the website is not ran on the server you mentioned. We use an external service to provide 100% uptime and easy access with 1ms response time. The last comment stated this “People can create a bruteforce program to get someones account”, while this is very true you can really do that with every website that has password+email authentication. I get that you are concerned about your data privacy and we are activity looking for an alternative more “safe” authentication method. We are still in the BETA state and we are actively working on improving/changing the website.

We appreciate your efforts to report bugs but these are half backed potato stories that are mostly made up of internet bs (comparable to the “how to secure your linux server” guides).

2 Likes

clients don’t send clear passwords to the server like that, your verification system is broken players can choose what code they use to verify i can authenticate as any user at any time using your API if someone does a man in the middle attack they will receive ALL the email, password and usernames. its plain text sent via a OPEN REST api easy to hack maybe make your api all private or use a different authentication system eg don’t store passwords just usernames and ofc fix your verification system, spotify does have a authentication system using backend node or php to encrypt the password and info then send it to a external language that runs the REST api maybe fix your whole system cuz its kinda broken i think in a few months time i will see a pastebin with your websites name in since u gonna get databreached at some point if you keep with the authentication

I don’t think you exactly know what you are saying. Go have a look at Discord’s authentication system and see how that works, they do the exact same thing. They send plain emails and passwords via JSON to the backend. I don’t really get what your problem is, we do the exact same thing yet you don’t seem to care about other applications but only ours specifically. Everything is secured and while the API is publicly accessible you can’t really do anything with it unless you have and AUTH TOKEN (this does not count for every route). Stop trying to sell people snake oil because the only thing you are trying to do in the end is trying to get as much people to leave our platform. Instead of crying about everything, it would have been useful if you could help us.

What you are saying is completely bs and it only “scares” away people with 0 knowledge whatsoever about the topic. The API is secure and so is the gateway between them, only if the server is compromised or the client, you can get access to the data other there is no way to.

i had a talk to many pentesters in the roblox community they said this is not safe. also your SMTP server that deals with emails is very unsecured i can get all the emails that pass through the server and not send them a email the is NO need for you to store or NEED passwords your verification system will work without it

i have also had a look at your verification system i can verify with any account just changing the JSON header its so easy to manipulate the API should never be public like this allowing for anyone to setup bruteforce software, many websites will use Oauth or API keys to stop this it works 99.9% of the time (unless someone stole a API key)
image

i could change the verify code if someone gets hold of packet they could steal this password and info

I can confirm that regenerating security codes makes 0 network requests and that the client sends a client-side generated code via a POST request to https://api.rocate.app/oauth/signup

This theoretically means I’d be able to verify with any Roblox account. However, this seems to be too big of an oversight to occur so I’m left wondering if there are any additional measures I’m missing. If there are not any additional measures, this would be a massive security issue in RoCate.

Would love to see @OneTrackMinded’s response on this.

image

I do have to be honest with that, I already contacted the my secondary developer and he knows about it. It is indeed a massive security issue and it’s something that I should have checked before releasing. We are working on a new auth system after getting criticised a lot about our basic email+password. This new system uses a 3rd party app that handles the authentication through a game check with no password. We hope that with this change people stop hating us for our basic password+email authentication.

1 Like

Hey everyone! We are working on a complete rewrite, taking on board all your feedback and suggestions. More information soon!

1 Like

Wouldnt it be better to make it an automatic algorithm that shows the appropriate games? Because having devs add in their games is gonna be a pretty slow process. Considering the fact there’s barely any games on Rocate…

As we’ve said 100 times before, we posted here to get more games. Again remember this is the reason we are in beta.