Editorial Disclaimer

This post was originally published by Spencatro on 09/23/2018. Spencatro has since gone on to work at Wizards of the Coast (Dec 2018). MTGATracker remains a 3rd-party project that is not affiliated with Wizards of the Coast, and is published pursuant to the Wizards of the Coast Fan-Content Policy. The views and opinions expressed in this post are strictly those of the author, and do not reflect the official position, policy, views, or opinions of Wizards of the Coast. No authors were compensated by any parties for the authorship of this post.

Bug Bounty: OAuth Sanity Check

This bug bounty was designed to help us make sure our OAuth implementation is sane in #290. To work on this bounty, you’ll likely need to run a locally hosted instance of Inspector targeted at the feature/oauth branch. Note: the new OAuth flows are now live on https://inspector.mtgatracker.com. Happy hacking! Remember that you must disclose to us your intention of performing security research on our systems after 9/27.

In order to get your own user data into the new instance of Inspector, you will also need to run an unreleased version of MTGATracker that uses the new API and auth flows. (This is of course optional; the goal is to access data you didn’t create.) link / MD5: e824f8f51c691ba3dad256b03cd44993 Note: MTGA is down until 9/27, so this probably won’t do you much good anymore.

Targets: [API Root URL] / [Inspector source] (Note: gx3.mtgatracker.com/... is the only API instance that has the new oauth flows enabled.)

Goals: Documented, reproducible, unauthorized access to account information you don’t own (e.g. game records, draft records, decklists, or profile data.)

Rewards: $50 to first valid reporter (CLAIMED), $25 to second valid reporter (available)

Limits: Guilds of Ravnica releases on MTGA on 9/27. While this bounty may still be available after 9/27, note that you must inform us you are performing security research on our systems after this date. Failure to do so may result in your account(s) being banned from MTGATracker systems.

Disclosure: Send any findings to [email protected]

About MTGATracker Bug Bounties

MTGATracker bug bounties are paid for out of pocket by Spencatro. Specific bounties are specifically budgeted for. Therefore, if you’ve reported a critical security issue we weren’t planning on, we may or may not be able to accommodate with a bounty payout at our own sole discretion. (Spencatro will do his best to keep money in the pipeline as often as possible!) Payout methods available are PayPal and Venmo.

Specific bounties will be paid out first-come first-serve, given that the reports qualify. To check if a specific bounty reward has been claimed, check the blog post announcing the bounty.