FYI - I'm the other developer/researcher of this stuff.
iLoch, on 05 February 2013 - 19:13, said:
The most responsible developers in the community have had access for a while. We know sharing is caring. There's a right, and a wrong way of doing it. (See http://halocharts.com
JSON service) By releasing this source code, you've allowed anyone to hit the service with a million requests. 343i already have tightened the API - my guess is that you didn't notice since you didn't get access right away. Next step is an IP whitelist.
Do you actually know what you're talking about?
It is a JSON API, which is accessed by the HWP website through AJAX. Each user makes their own requests to it - therefore IP whitelisting would be impossible.
The security on it is extremely basic at present, so I'm not sure what you mean by "343i already have tightened the API" since it's really not in the slightest bit difficult to authenticate to it.
An intermediate service (rather than documenting how to access directly) would be an incredibly stupid thing to do for several reasons:
- It would be painfully obvious since a ridiculous number of requests to different accounts would be coming from the same IP
- It would be incredibly easy to block
- It would require working around, rather than with, the authentication system. Our docs & client conform fully to the way the auth system was intended to work and, as such, there are no security issues in terms of phishing & no reason for 343/MS to get ****ed off about it
Additionally, this is not an internal API. A private one, maybe, but every time you visit HWP you directly call it 20-100 times (ish), so it's not exactly hidden.
iLoch, on 05 February 2013 - 20:03, said:
Sorry, is that hard for you to believe? That's actually just one line they would have to add to block 100% of the unwanted access. Are you kidding me?