Endless forms most beautiful

The following post, 10 Beautiful Butterflies and Their Ugly Duckling Offspring, on scienceray, features many butterflies and their caterpillars. As far as I'm concerned many caterpillars are prettier than their adult form, and surely more interesting.

SporeGate: the day after

The email leakage that plagued Sporepedia, is now finally gone, after 3 days since it became public, and after more than two weeks since I first found it out. It was probably there from Sporepedia's day one, and more than 750000 were free for grabbing.
Now that this episode is over, here's how I've done it. No intelligence is required. As a bonus, I've attached a new mail from the masterminds of EA at the end of this post, and if you all gonna be good kids, I'm gonna tell you Will Wright's email address. There are many other interesting things to do around there, and there are some more services you can play with. I won't be surprised to find another security problem around there.

As I've said in my last post, my goal was downloading a massive amount of creatures, believing that I could learn something on the way Maxis hides creature data in the .png files. In order to do so, I had to learn how Sporepedia worked. There was some way that my browser queried Sporepedia (for example, for the first 24 creatures), and got the results back. Using Firebug a great debug tool for Firefox, I was able to see that it sent a query to www.spore.com/sporepedia/jsserv/call/plaincall/assetService.listAssets.dwr, with the following parameters (the two parameters marked in red are the first creature to retrieve, and the number of creatures to retrieve):

callCount=1
page=/sporepedia
httpSessionId=******
scriptSessionId=*****
c0-scriptName=assetService
c0-methodName=listAssets
c0-id=0
c0-e1=number:0
c0-e2=number:24
c0-param0=Object_Object:{index:reference:c0-e1, count:reference:c0-e2}
batchId=4

and got back, in plain text, the creatures details and their creatures details, including the email addresses. Now using some programming magic you could do the same requests to Sporepedia as your browser does and harvest the addresses without a problem. Moreover, you can change the parameters to get 1000 addresses at once.

Now, if you just want to know a specific user email address, say the one of MaxisWill, Sporepedia made things even easier for you. No programming or firebugging needed. If you'll try snoop around "assetService.listAssets.dwr" address you'll soon get to the sporeUserService page.

here can fill the username you want to query under findSporeUserByScreenName, press execute, and get




As simple as that.

Nowadays, you won't get the email address field. But fear not, if you still want to check whether a specific address is Will Wright's address, use the field named findSporeUserByEmail, and see if you get MaxisWill's details.

That's it. And now, as promised, one last mail from EA:

You recently contacted Electronic Arts for support of your EA game. As part of our mission to provide the highest quality support possible, we seek your thoughts on your most recent experience with our Customer Support department. The survey takes just a few minutes to complete. Your responses will help us determine ways to improve the support we provide to you.

They're kidding me, right?

See you all when (if) I would finally find how to decode the .png files! (update: here)

Pig Monkey

Here's a normal piglet, from Madeleine_'s Flickr pool


And here's a mutant piglet courtesy of Orange News, Via Zooillogix, one of my favorite blogs.

Just another example that (probably) small mutations can cause a great difference in the phenotype, something I have not witnessed in any ALife simulation I had the joy to play with.

Sporepedia leaks email addresses

I'm not a security engineer (though I wouldn't mind working in that industry). I'm just a curious guy that wanted to learn how spore encodes its creatures within .png files (see previous post). As part of this (yet to be successful) research project, I wanted to download about 100 creatures for testing purposes. This led me to look into how the Sporepedia website works, and as the title of this post suggests, I found more than I was looking for. Apart from delivering creatures' pictures and names (as you can see in your own browser), Sporepedia also delivers some creatures' stats, such as their feet number and health, and their creators email addresses.
Here's a little excerpt of what you get when you browse Sporepedia and look for the toad like creature presented above (formatting is done by yours truly):

s5.assetId=500006865544;
s5.attackRating=4.0;
s5.author=s29;
s5.baseGear=0.0; s5.bite=2.0; s5.boneCount=45;
s5.carnivoreRating=1.0; s5.charge=2.0; s5.created=new Date(1217013619767);
s5.cuteness=53.332813; s5.dance=0.0; s5.description=null;
s5.featured=null; s5.footCount=4; s5['function']=s0;
s5.gesture=2.0; s5.glide=0.0; s5.grasperCount=0;
s5.health=2.0; s5.height=1.444589; s5.herbivoreRating=1.0;
s5.id=500006865544; s5.maxAttack=2.0; s5.maxSocial=2.0;
s5.meanness=13.0; s5.name="Rana"; s5.parentId=null;
s5.posture=0.0; s5.quality=null; s5.rating=-1.0;
s5.sing=1.0; s5.social=3.0; s5.spit=0.0;
s5.sprint=0.0; s5.status=s1; s5.stealth=0.0;
s5.strike=0.0; s5.tags=null; s5.thumbnailSize=27585;
s5.totalEvoPoints=665; s5.type='CREATURE'; s5.updated=new Date(1217013619767);
s29.avatarImage="thumb/500/006/462/500006462490.png";
s29.dateCreated=new Date(1216243320000);
 s29.emailAddress="re****@hotmail.com";
s29.id=2264719288;
s29.lastUserAgent=null;
s29.name="monkey-milker";
s29.screenName="monkey-milker";
s29.subscriptionCount=0;
s29.tagline="drink enough monkey  milk ";
s29.updated=new Date(1216638225588);
s29.userId=2264719288;

As you can see, there is a creature struct linked to a creator struct, the creator struct contains the email address of the user, censored by me. True, this is not a DNS poisoning scheme, but a malevolent party can easily mine those addresses for spam and phishing. I can imagine a phishing scheme where an email apparently coming from spore.com notifies you that you are able to buy your creature "Rana" a special power for a mere $2, all you have to do is give your credit card number.



I've tried to notify EA about this issue, without success.
At first, I sent a mail to privacy_policy@ea.com, but their reply was:

We apologize, but emails regarding billing, account, technical, in-game, or Terms of Service violations or inquiries are not supported from this email address.

Please visit support.ea.com to view our knowledge base of frequently asked questions. If you are not able to find your answer there you may email the appropriate department by choosing the Ask a Question option at http://support.ea.com.

So I posted a question, or rather a warning at http://support.ea.com, and got the following reply (after a bit of correspondence):

Hello,

Thank you for contacting us here at Electronic Arts Technical Support. You can post your concern on the spore forums at http://spore.com/forum so that the administrators of the website can provide you a direct answer since they are the one managing the website.

Should you require further assistance about this or any Electronic Arts games in the future, please visit our website and review our extensive Self Help knowledgebase (http://support.ea.com).

Thanks!

However, since posting in that suggested forum required me to sign up as a Spore user, which in turn required me to risk my email address, I chose not to do so. And since posting to that forum would have made this issue public, I chose to made it public on my own turf.


Update: I encourage everyone reading this post to send a mail to EA or leave a comment in their support forums. Maybe en masse, our voices will be heard.

More Updates: Turns out that I do have an account for EA forums (they can be quite confusing for my puny mind). So I went on to register a complaint, but someone already beat me to it. If you are a spore user, and care about your email address, you should add a comment to that thread.

Last Update?: Meghan Kane McDowell who is "Producer, Pollination & Web" at Maxis, has posted that a bug fix is ready and will be deployed in 24 hours. If that turns up to be true, I'll post a full disclosure on the bug tomorrow. You are welcome to stay tuned. - here it is