Happy Street is flawed

Posted: Tuesday 22 January 2013

Update as of October 2013: no longer works!

Flaw was open for 10+ months

I'd like to congratulate the developers for spreading the word on the furry community, great job :)

However there's one critical flaw to the game, it uses Appspot and a completely unencrypted gifting/cloud saving system..

Sure there are some horrifically low level protection included (such as "encoding" the data in hex form) but, of course, that was no match for me...

There's really no encryption or any protection that can be found on the way Happy Street handles it's online services, the Happy Street system is wide open....

This is basically what I consider to be the flaw of Happy Street, it's unencrypted... And for a game that attracts millions of players from multiple platforms, you would expect the developers to be a little more careful when it comes to scenarios like this.. However, they're not..

Think that you can't ever send lucky tokens in Happy Street? Well think again..
bAAAAAEAAQYAAABUb2tlbgABAAAAAA==

And guess what?

Creating a custom item generator for Happy Street is pretty much the hardest step required to fully exploit Happy Street's online services, yet that only took a few hours.. Finding the PID (the unique identifying code that Happy Street assigns to its players) was much, much easier then I thought it would initially be and as someone with a fairly large amount of friends who've played Happy Street this really relieved me..

Finally, finding the useragent to spoof appspot was the easiest step...

HappyStreet/1.3.100 CFNetwork/609 Darwin/13.0.0


The location of to where that data should be sent to is right here:
http://gzhappystreet.appspot.com/uploadSocialActions

Download the tool

Download Now!

Link to the tool (since the "downloaded" tool is just a functional wrapper for the site itself)

http://happy.extramaster.net/ (you have to be friends with someone who knows their own PID first..)

Other Images



To the developers out there, please use a hashing system [with a strong salt] to ensure that the Game Center system isn't flooded with fake scores... Merely detecting whether or not the user has jailbroken is never enough since it can be easily bypassed anyways...

Edit

As the entire Happy Street system is unprotected, you can basically access the data of other users, whether or not you're friends with them.. As a result, it is possible to "profile" a whole bunch of Happy Street players who have linked it to their Facebook account, simply because of the fact that you can access anyone's friend list even if you're not their friend in-game [as long as you have their PID]....


Edit 2

The Happy Street developers have finally patched the flaw with their v2 update. Of course, it's still publicly accessible, but the code that I used to test the flaw is now mostly non-functional (though some things apparently still works)

Tags:

Happy Street hack
Happy Street exploit
Happy Street 1.6 hack
Happy Street 1.7 hack
Happy Street 1.8 hack