The email leakage that plagued Sporepedia, is now finally gone, after 3 days since it became public, and after more than two weeks since I first found it out. It was probably there from Sporepedia's day one, and more than 750000 were free for grabbing.
Now that this episode is over, here's how I've done it. No intelligence is required. As a bonus, I've attached a new mail from the masterminds of EA at the end of this post, and if you all gonna be good kids, I'm gonna tell you Will Wright's email address. There are many other interesting things to do around there, and there are some more services you can play with. I won't be surprised to find another security problem around there.
As I've said in my last post, my goal was downloading a massive amount of creatures, believing that I could learn something on the way Maxis hides creature data in the .png files. In order to do so, I had to learn how Sporepedia worked. There was some way that my browser queried Sporepedia (for example, for the first 24 creatures), and got the results back. Using Firebug a great debug tool for Firefox, I was able to see that it sent a query to www.spore.com/sporepedia/jsserv/call/plaincall/assetService.listAssets.dwr, with the following parameters (the two parameters marked in red are the first creature to retrieve, and the number of creatures to retrieve):
callCount=1and got back, in plain text, the creatures details and their creatures details, including the email addresses. Now using some programming magic you could do the same requests to Sporepedia as your browser does and harvest the addresses without a problem. Moreover, you can change the parameters to get 1000 addresses at once.
page=/sporepedia
httpSessionId=******
scriptSessionId=*****
c0-scriptName=assetService
c0-methodName=listAssets
c0-id=0
c0-e1=number:0
c0-e2=number:24
c0-param0=Object_Object:{index:reference:c0-e1, count:reference:c0-e2}
batchId=4
Now, if you just want to know a specific user email address, say the one of MaxisWill, Sporepedia made things even easier for you. No programming or firebugging needed. If you'll try snoop around "assetService.listAssets.dwr" address you'll soon get to the sporeUserService page.
here can fill the username you want to query under findSporeUserByScreenName, press execute, and get
As simple as that.
Nowadays, you won't get the email address field. But fear not, if you still want to check whether a specific address is Will Wright's address, use the field named findSporeUserByEmail, and see if you get MaxisWill's details.
That's it. And now, as promised, one last mail from EA:
You recently contacted Electronic Arts for support of your EA game. As part of our mission to provide the highest quality support possible, we seek your thoughts on your most recent experience with our Customer Support department. The survey takes just a few minutes to complete. Your responses will help us determine ways to improve the support we provide to you.They're kidding me, right?
See you all when (if) I would finally find how to decode the .png files! (update: here)
I don't think the creature data is embedded in the png. I think the creature png is used as a "checksum" to get the real creature data from the server. So when you drag a creature image into the spore editor, it will send the image to the server, which in turn will lookup the creature data and send it back.
ReplyDeleteI didn't verify this, but its about the only thing I can imagine, because I've used a png chunk viewer, and there is simply no space left besides the image pixels to store additional data.
You can turn off your internet connection and see that creature creator is still willing to load (not previously cached) creatures.
ReplyDeleteBut you are not completely wrong - the pixels themselves contain the creature data, as I've written in a previous post.
Actually, I now have a method for extracting the data from the png files, and I'll post about it in the next few days.