Plague Network hacking for fun and profit

Some nights ago I started playing with mitmproxy and was looking for something to poke on, Tinder was already taken by Rich Taylor and others. I’ve been using this new social network app that has a new way of spreading the posts called Plague. I liked its concept so… that was enough to poke it 🙂

Setup:

Plague Repost

It seems that everything is clear and nothing challenging. So let’s write a Python code to do the same.

 

import requests
token = 'TOKEN'
u_id = 'USERID'
lon = '90.0000' #North Pole
lat = '0.0000'

headers = { 'Host':'plague.io',
            'Content-Type':'application/x-www-form-urlencoded; charset=utf-8',
            'Connection':'keep-alive',
            'Proxy-Connection':'keep-alive',
            'Accept':'application/json',
            'User-Agent':'Plague/1.1.25 (iPhone; iOS 8.3; Scale/2.00)',
            'Accept-Language':'en',
            'Accept-Encoding':'gzip, deflate'}

def vote_repost(post_id):
    url = "http://plague.io/api/votes/repost/"
    payload = { 'latitude':lat,
                'longitude':lon,
                'repost_id':str(post_id),
                'token':token,
                'uid':u_id}
    r = requests.post(url, data=payload, headers=headers)
    print str(post_id)+ " " + r.text

vote_repost(999)

Voi la… it worked! so let’s post something.

Plague PostSo this would be the code:

def send_text(text):
    url = "http://plague.io/api/posts/"
    send_text_payload = {
            'latitude':lat,
            'longitude':lon,
            'meta':'{"administrativeArea":"Quebec","country":"Canada","locality":"Montreal"}',
            'text':text,
            'token':token,
            'uid':u_id}
    r = requests.post(url, data=send_text_payload, headers=headers)
    print text + " - " + r.text

And the server response is…..

{

    “status”: “OK”

}

And btw yes I’m from Montreal, that wasn’t something to hide 🙂

So this goes for almost all the functionalities that I’ve already implemented, except the image upload that I’m lazy to fix the multipart/form-data encoding on HTTP post, but you can add images by URL.

TL;DR: Don’t read past this as this is when I got tipsy on beer and sleepy, go to the end and get the github link.

I had to do something more exciting. I decided to troll the plague network. So I wrote this (already had written the comment function):

def comment_range(text, lrange, rrange):
    if lrange < rrange:
        for i in xrange(lrange,rrange):
            comment(str(i),text)
    else:
        print "Left range must be smaller than Right range"

comment_range("Plague is contagious",1,999999)

Not sure why I didn’t add a delay, I should have known that this is not 2010 and APIs have all a call limit 🙂

143Plague is contagious! - {"status": "OK"}
144Plague is contagious! - {"status": "OK"}
145Plague is contagious! - {"status": "OK"}
146Plague is contagious! - {"status": "OK"}
147Plague is contagious! - {"status": "OK"}
148Plague is contagious! - {"error": {"info": "post", "code": "API_ObjectNotFound"}}
149Plague is contagious! - {"status": "OK"}
150Plague is contagious! - {"status": "OK"}
151Plague is contagious! - {"status": "OK"}
152Plague is contagious! - {"error": {"info": null, "code": "API_PendingConfirmation"}}
153Plague is contagious! - {"error": {"code": "API_PendingConfirmation", "info": null}}

So yeah I got a confirmation email, then the second one, then the third one (total of 8) but didn’t get confirmed.

verification_needed

The fun fact is that I posted the comment on some plagues that had been expired for weeks, I started to get comments from people with questions that how I did so. But too bad I couldn’t reply any of them cause I was getting the above error message. (More sad that I don’t have a screenshot of their comments 🙂 )

Tried with the Python API and yep I was banned!

plague banned

Anyhow it was fun, and let’s see what would come out of this.

Here is the Github repo.

GitHub-Mark

For now the functionalities implemented are as follows:

  • login(user,password)
  • vote_repost(post_id)
  • vote_skip(post_id)
  • send_text(text)
  • comment(post_id, text)
  • photo_post(file,text) #Not yet working
  • post_link(media_link, media_link_preview, text)
  • post_delete(post_id)

Would be happy to see your commits or comments or both 🙂

%d bloggers like this: