How will it get my pass? I did not even give them my pass, not even my username.
when you signup it sends a POST request with your password in the header hackers can get access to this and steal your password, all passwords should be encrypted
Good thing I did not log-in lol
yep, attackers could also setup a bruteforce program (since its a open api with no encryption) that could guess your password once it has it can then try and login to your other accounts for example spotify
The website is secured with HTTPS, data will be encrypted before they leave the website and are transferred to the api. Further more, if this is seen as “insecure” I wonder how you would deal with websites like Discord, ROBLOX, Spotify, etc who basically do the same. We encrypt the data on the back-end to make sure that the data stays save. If we were to do that on the client side, people can easily reverse-engineer that and eventually get the encryption key so that would only be a waste of time. Further more, the website is not ran on the server you mentioned. We use an external service to provide 100% uptime and easy access with 1ms response time. The last comment stated this “People can create a bruteforce program to get someones account”, while this is very true you can really do that with every website that has password+email authentication. I get that you are concerned about your data privacy and we are activity looking for an alternative more “safe” authentication method. We are still in the BETA state and we are actively working on improving/changing the website.
We appreciate your efforts to report bugs but these are half backed potato stories that are mostly made up of internet bs (comparable to the “how to secure your linux server” guides).
clients don’t send clear passwords to the server like that, your verification system is broken players can choose what code they use to verify i can authenticate as any user at any time using your API if someone does a man in the middle attack they will receive ALL the email, password and usernames. its plain text sent via a OPEN REST api easy to hack maybe make your api all private or use a different authentication system eg don’t store passwords just usernames and ofc fix your verification system, spotify does have a authentication system using backend node or php to encrypt the password and info then send it to a external language that runs the REST api maybe fix your whole system cuz its kinda broken i think in a few months time i will see a pastebin with your websites name in since u gonna get databreached at some point if you keep with the authentication
I don’t think you exactly know what you are saying. Go have a look at Discord’s authentication system and see how that works, they do the exact same thing. They send plain emails and passwords via JSON to the backend. I don’t really get what your problem is, we do the exact same thing yet you don’t seem to care about other applications but only ours specifically. Everything is secured and while the API is publicly accessible you can’t really do anything with it unless you have and AUTH TOKEN (this does not count for every route). Stop trying to sell people snake oil because the only thing you are trying to do in the end is trying to get as much people to leave our platform. Instead of crying about everything, it would have been useful if you could help us.
What you are saying is completely bs and it only “scares” away people with 0 knowledge whatsoever about the topic. The API is secure and so is the gateway between them, only if the server is compromised or the client, you can get access to the data other there is no way to.
i had a talk to many pentesters in the roblox community they said this is not safe. also your SMTP server that deals with emails is very unsecured i can get all the emails that pass through the server and not send them a email the is NO need for you to store or NEED passwords your verification system will work without it
i have also had a look at your verification system i can verify with any account just changing the JSON header its so easy to manipulate the API should never be public like this allowing for anyone to setup bruteforce software, many websites will use Oauth or API keys to stop this it works 99.9% of the time (unless someone stole a API key)
i could change the verify code if someone gets hold of packet they could steal this password and info
I can confirm that regenerating security codes makes 0 network requests and that the client sends a client-side generated code via a POST request to https://api.rocate.app/oauth/signup
This theoretically means I’d be able to verify with any Roblox account. However, this seems to be too big of an oversight to occur so I’m left wondering if there are any additional measures I’m missing. If there are not any additional measures, this would be a massive security issue in RoCate.
Would love to see @OneTrackMinded’s response on this.
I do have to be honest with that, I already contacted the my secondary developer and he knows about it. It is indeed a massive security issue and it’s something that I should have checked before releasing. We are working on a new auth system after getting criticised a lot about our basic email+password. This new system uses a 3rd party app that handles the authentication through a game check with no password. We hope that with this change people stop hating us for our basic password+email authentication.
Hey everyone! We are working on a complete rewrite, taking on board all your feedback and suggestions. More information soon!
Wouldnt it be better to make it an automatic algorithm that shows the appropriate games? Because having devs add in their games is gonna be a pretty slow process. Considering the fact there’s barely any games on Rocate…
As we’ve said 100 times before, we posted here to get more games. Again remember this is the reason we are in beta.
I’m not gonna say that you don’t have many games. I’m gonna say that I just didn’t see any games. I saw no games whatsoever
I wish there was a pin feature on the DevFourm.
You could post a feature request in this forum
i agree with you tbh, it would be pretty simple to scrape games with the roblox api and would probably make this platform much better tbh
There is no way of being able to differentiate high quality to low quality if it was automatic. Also, just for clarification, the reasons devs have to add their games themselves is because it allows us to have good relations with them, instead of seeing their game up on a random website and being annoyed they weren’t notified. The core of RoCate is community based.
i understand the part of having a relationship of a developer but couldnt you make a better algorithm to sort games better then roblox does just a suggestion