Post: Call of Duty API Endpoints
09-23-2017, 03:07 PM #1
Tustin
Balls of Steel
(adsbygoogle = window.adsbygoogle || []).push({}); Recently, Activision You must login or register to view this content.. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

Resources:

API URLs:
IW: You must login or register to view this content.
BO3: You must login or register to view this content.

Platform Identifiers (used for 'platform' parameter):
PSN - psn
Xbox Live - xbl
Steam - steam

Endpoints:

User Stats:
GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

Leaderboards:
GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

Quatermaster Inventory (requires authentication):
Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

Keys/Salvage/COD Points (requires authentication):
Again, requires authentication and also doesn't support BO3.
GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

Purchasing Supply Drop (requires authentication):
This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

Opening Supply Drop (requires authentication):
Again, I've only tested this with common crates.
POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!

The following 5 users say thank you to Tustin for this useful post:

AppaTroix, Cbuf_AddText, Hydrogen, Norway-_-1999, Playstation VR
09-29-2017, 06:40 AM #20
Originally posted by Marbella View Post
I will make one tomorrow. Smile

Another strange thing,the groups ids isn't random,if you create one now you will have like the id 35000 and the next one the id 35001 etc..
So i have done some research to see if devs have created some test groups to grab some PSN of 3arc.

The first real group is this one :
You must login or register to view this content.

Which have ID 96,a strange thing is if you put a slash at the end of the link like that :
You must login or register to view this content.

It give you a blank page,also the majority of page id behind 96 are blank pages,but some group show them up if you put a / at the end of the link or /members so i wrote a little soft to see the dev groups.
So i wrote some code who test for the first 100 groups id here it is :
    
let request = require("request");
let interval = 1 * 500; // Lowing the interval can get you ip banned

for (i = 0; i < 100; i++) {
setTimeout(function (i) {
console.log("trying on " + i);
// I ran the code on <groupid> with backslash,without backslash and with members,it seem like /member give the best results
request.get("https://www.callofduty.com/api/sso/cod/title/bo3/psn/teams/" + i + "/members", function (err, resp, body) {
if (body !== "") {
console.log(resp.request.uri.href);
}
});
}, interval * i, i);;
}



Like the comment explain,i ran test on /groupid without backslash,with backslash and /members and /members/

And here is the three dev group i found,i think the other one was deleted during game developpement :
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.

You can see only two PSN :
mendicantca
QAMLIVE042ps

They seem to be some dev PSN (or maybe beta testers ?),can't look atm since my PS4 is on another room but maybe they play sometimes dev games like BO3 had "Northwood" at beta secret name.


Seems mendi hasn't been playing games since September 2016, and QAM must be a dummy account, considering You must login or register to view this content.


What's interesting about mendi is it seems he's an avid Destiny player -
, You must login or register to view this content.

Considering Destiny and COD are by the same publisher...perhaps mendi is QA?
Last edited by Frosty ; 09-29-2017 at 06:43 AM.
09-29-2017, 07:26 AM #21
Originally posted by Frosty View Post
Seems mendi hasn't been playing games since September 2016, and QAM must be a dummy account, considering You must login or register to view this content.


What's interesting about mendi is it seems he's an avid Destiny player -
, You must login or register to view this content.

Considering Destiny and COD are by the same publisher...perhaps mendi is QA?


Yeah i really think he his a QA,strange thing is when QA/Beta players are invited in Treyarch they play on Devkit console.
I will not investigate more on his PSN since he seem like a legit player who was just a Q.A.

For the second PSN,he have only two trophys on BO3 but you can see on his profile on the API he played some MP :
You must login or register to view this content.

He also have "QA" on his PSN.

I had another idea btw,i searched on other plateforms and i found some stuffs :
You must login or register to view this content.

His xbl tag is : dw-thc-ops3-beta

The api seam to be broken on steam (can't find anything).

EDIT : There is also other PSN with lower numbers like QAMLIVE041ps instead of QAMLIVE042ps

EDIT2 : According to the trophys dates these account was tested when the game was out & for testing Zombies Chronicles i think.
That's mean you can know when Activision is working on secret stuff like another DLC etc... Since they use these account for every games

I know that because back when the DLC5 had leaks,a guy from Activision playtest leaked some infos but the post are deleted :
You must login or register to view this content.

He said he played DLC5 Beta the time around these accounts played it.
That some pretty cool stuff!

EDIT 3 : I wrote a miniscript who try PSN of QAMLIVE0XXps,here the list of QA testing accounts who have played BO3 :
Originally posted by another user
QAMLIVE019ps
QAMLIVE020ps
QAMLIVE021ps
QAMLIVE022ps
QAMLIVE023ps
QAMLIVE024ps
QAMLIVE025ps
QAMLIVE027ps
QAMLIVE028ps
QAMLIVE029ps
QAMLIVE030ps
QAMLIVE031ps
QAMLIVE032ps
QAMLIVE033ps
QAMLIVE034ps
QAMLIVE035ps
QAMLIVE036ps
QAMLIVE037ps
QAMLIVE039ps
QAMLIVE040ps
QAMLIVE041ps
QAMLIVE042ps
QAMLIVE043ps
QAMLIVE044ps
QAMLIVE045ps
QAMLIVE046ps
QAMLIVE050ps


EDIT 4 : A little something i found,if you change the numbers of day for the "weekly recap" in IW you can increase from 7 to 10 days or decrease (maybe there is no time limit but a game limit ?) :
You must login or register to view this content.
Last edited by Marbella ; 09-29-2017 at 10:14 AM.

The following 2 users say thank you to Marbella for this useful post:

Frosty, Tustin
09-29-2017, 04:54 PM #22
Tustin
Balls of Steel
Originally posted by Marbella View Post
I will make one tomorrow. Smile

Another strange thing,the groups ids isn't random,if you create one now you will have like the id 35000 and the next one the id 35001 etc..
So i have done some research to see if devs have created some test groups to grab some PSN of 3arc.

The first real group is this one :
You must login or register to view this content.

Which have ID 96,a strange thing is if you put a slash at the end of the link like that :
You must login or register to view this content.

It give you a blank page,also the majority of page id behind 96 are blank pages,but some group show them up if you put a / at the end of the link or /members so i wrote a little soft to see the dev groups.
So i wrote some code who test for the first 100 groups id here it is :
    
let request = require("request");
let interval = 1 * 500; // Lowing the interval can get you ip banned

for (i = 0; i < 100; i++) {
setTimeout(function (i) {
console.log("trying on " + i);
// I ran the code on <groupid> with backslash,without backslash and with members,it seem like /member give the best results
request.get("https://www.callofduty.com/api/sso/cod/title/bo3/psn/teams/" + i + "/members", function (err, resp, body) {
if (body !== "") {
console.log(resp.request.uri.href);
}
});
}, interval * i, i);;
}



Like the comment explain,i ran test on /groupid without backslash,with backslash and /members and /members/

And here is the three dev group i found,i think the other one was deleted during game developpement :
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.

You can see only two PSN :
mendicantca
QAMLIVE042ps

They seem to be some dev PSN (or maybe beta testers ?),can't look atm since my PS4 is on another room but maybe they play sometimes dev games like BO3 had "Northwood" at beta secret name.


Originally posted by Frosty View Post
Seems mendi hasn't been playing games since September 2016, and QAM must be a dummy account, considering You must login or register to view this content.


What's interesting about mendi is it seems he's an avid Destiny player -
, You must login or register to view this content.

Considering Destiny and COD are by the same publisher...perhaps mendi is QA?


There's quite a few QAMLIVE(\d{2,3})ps accounts if you search "QAMLIVE" on the Playstation app. I checked a few and none of them show any recent activity but maybe in the next few weeks we might see some of them hop on WW2 or something.

EDIT: Whoops, I just saw Marbella's last reply about all the accounts!
Last edited by Tustin ; 09-29-2017 at 04:56 PM.

The following user thanked Tustin for this useful post:

Frosty
09-29-2017, 07:54 PM #23
Tustin
Balls of Steel
I just got around to looking at the auth flow for the site and it's really simple. No captcha or csrf token checks at the moment. Here's a basic example of the login script:
    
<?php

$data = [
"username" => "[email protected]",
"remember_me" => "true",
"password" => "p@55w0rd"
];
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => 'https://profile.callofduty.com/do_login?new_SiteId=cod',
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($data),
CURLOPT_HTTPHEADER => [
'Content-Type: application/x-www-form-urlencoded',
'Cookie: AMCVS_0FB367C2524450B90A490D4C%40AdobeOrg=1; __utmt_dd8c0908a9be2688b4eb1ba01b8aabf5=1; ACT_SSO_LOCALE=en_US; ATVI_VISITOR_ID=anon-1506714328364-0.6579939320381232; __utma=229673283.1064438501.1506714327.1506714327.1506714327.1; __utmb=229673283.3.10.1506714327; __utmc=229673283; __utmz=229673283.1506714327.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); redirectUrl="https://my.callofduty.com/"; SSO_REDIRECTED_AT_LOGIN="https://my.callofduty.com/"; atkn=""; rtkn=""; agegate=""; country=""; mbox=check#true#1506714393|session#775b52c8450c413bb876bdec89fca133#1506716193|PC#775b52c8450c413bb876bdec89fca133.20_32#1514490333; AMCV_0FB367C2524450B90A490D4C%40AdobeOrg=1099438348%7CMCIDTS%7C17439%7CMCMID%7C07047275907769086351423327957578528689%7CMCAAMLH-1507319133%7C9%7CMCAAMB-1507319133%7CcIBAx_aQzFEHcPoEv0GwcQ%7CMCOPTOUT-1506721533s%7CNONE%7CMCAID%7CNONE%7CMCSYNCSOP%7C411-17446%7CvVersion%7C2.1.0; new_SiteId=cod; comid=cod; s_dfa=activision.prd; s_ppvl=https%253A%2F%2Fmy.callofduty.com%2Fiw%2Flogin%2C57%2C57%2C769%2C1600%2C769%2C1600%2C900%2C1%2CL; s_cc=true; s_ppv=callofduty%253Asso-callofduty%253Alogin%2C93%2C93%2C1169%2C1600%2C769%2C1600%2C900%2C1%2CL; gpv_c8=callofduty%3Asso-callofduty%3Alogin; s_nr=1506714342609-New; s_sq=%5B%5BB%5D%5D',
],
CURLOPT_COOKIEJAR => realpath('cookies.txt'Winky Winky,
CURLOPT_HEADER => true
));
$resp = curl_exec($curl);
var_dump($resp);


I don't know what the cookie header is for, but the login will fail without it. It doesn't seem to be unique because I tried logging in multiple times using it and it worked each time. Maybe someone else can give this a try and see if it works for them too. If it works, you should see a bunch of Set-Cookie headers get output in the var_dump.
12-22-2017, 01:57 AM #24
Tustin
Balls of Steel
I was looking around a bit more, and found something interesting:
https://profile.callofduty.com/cod/userInfo/<base64 string>

This endpoint takes a base64 encoded string that, when decoded, gives a string in this format:
5xxx986xxxx078xxx83:1515116063709:85xxx71742xxx42a8xxxce61dxxx4acc

The string seems to be in this format:
<accountID>:<login time as unix timestamp>:<some unknown md5 hash>

I couldn't figure out what the hash is exactly. I tried username, email, and password but it doesn't seem to match those. I'm only guessing it's MD5, but it could be salted, multiple rounds of MD5, or just something else entirely. I figure if you can find out what this hash is, you can fetch the userinfo for any account you want since this endpoint isn't locked behind authentication.
12-22-2017, 02:16 AM #25
Hydrogen
Super Mod
Originally posted by Tustin View Post
I was looking around a bit more, and found something interesting:
https://profile.callofduty.com/cod/userInfo/<base64 string>

This endpoint takes a base64 encoded string that, when decoded, gives a string in this format:
5xxx986xxxx078xxx83:1515116063709:85xxx71742xxx42a8xxxce61dxxx4acc

The string seems to be in this format:
<accountID>:<login time as unix timestamp>:<some unknown md5 hash>

I couldn't figure out what the hash is exactly. I tried username, email, and password but it doesn't seem to match those. I'm only guessing it's MD5, but it could be salted, multiple rounds of MD5, or just something else entirely. I figure if you can find out what this hash is, you can fetch the userinfo for any account you want since this endpoint isn't locked behind authentication.


Can't you just decode it with Hashcat, or it's to the point where you would need to reverse the whole thing manually?
12-22-2017, 02:19 AM #26
Tustin
Balls of Steel
Originally posted by Hydrogen View Post
Can't you just decode it with Hashcat, or it's to the point where you would need to reverse the whole thing manually?

You could try to crack it but I'm far too lazy to set all of that up. For all I know it could just be some randomly generated hash that can't be generated yourself.

The following user thanked Tustin for this useful post:

Hydrogen
12-22-2017, 02:30 AM #27
Hydrogen
Super Mod
Originally posted by Tustin View Post
You could try to crack it but I'm far too lazy to set all of that up. For all I know it could just be some randomly generated hash that can't be generated yourself.


Isn't MD5 like two to the 128th power? or something near that, lol. Eh, I have close friends from LeakBase that could try decoding it for you, not sure how'd you want to try that though.
10-10-2018, 01:20 PM #28
KilioZ
Gobble
Hey, Black Ops 4 Stats is online !

You must login or register to view this content.
I look for new API on BO4 !

Copyright © 2024, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo