THREAD: Call of Duty API Endpoints
  1. 09-23-2017, 03:07 PM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,462
    Posts
    310,506
    Reputation
    May 2008
    NextGenUpdate
    Recently, Activision You must login or register to view this content.. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

    Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

    Resources:

    API URLs:
    IW: You must login or register to view this content.
    BO3: You must login or register to view this content.

    Platform Identifiers (used for 'platform' parameter):
    PSN - psn
    Xbox Live - xbl
    Steam - steam

    Endpoints:

    User Stats:
    GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

    Leaderboards:
    GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

    Quatermaster Inventory (requires authentication):
    Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
    GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

    Keys/Salvage/COD Points (requires authentication):
    Again, requires authentication and also doesn't support BO3.
    GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

    Purchasing Supply Drop (requires authentication):
    This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

    Opening Supply Drop (requires authentication):
    Again, I've only tested this with common crates.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


    That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!
  2. The Following 5 Users Say Thank You to Tustin For This Useful Post:

    , , , ,

  3. 09-29-2017, 06:40 AM
    Frosty's Avatar
    Frosty
    <span style="background:url(http://i.imgur.com/HzdClzs.gif);font-weight:bold;color:white;">Olaf The Snowman</span>
    Frosty's Avatar
    Frosty
    <span style="background:url(http://i.imgur.com/HzdClzs.gif);font-weight:bold;color:white;">Olaf The Snowman</span>
    9,038
    Posts
    85,701
    Reputation
    Dec 2011
    NextGenUpdate
    Originally Posted by Marbella View Post
    I will make one tomorrow. Smile

    Another strange thing,the groups ids isn't random,if you create one now you will have like the id 35000 and the next one the id 35001 etc..
    So i have done some research to see if devs have created some test groups to grab some PSN of 3arc.

    The first real group is this one :
    You must login or register to view this content.

    Which have ID 96,a strange thing is if you put a slash at the end of the link like that :
    You must login or register to view this content.

    It give you a blank page,also the majority of page id behind 96 are blank pages,but some group show them up if you put a / at the end of the link or /members so i wrote a little soft to see the dev groups.
    So i wrote some code who test for the first 100 groups id here it is :

    let request = require("request");
    let interval = 1 * 500; // Lowing the interval can get you ip banned

    for (i = 0; i < 100; i++) {
    setTimeout(function (i) {
    console.log("trying on " + i);
    // I ran the code on <groupid> with backslash,without backslash and with members,it seem like /member give the best results
    request.get("https://www.callofduty.com/api/sso/cod/title/bo3/psn/teams/"+ i + "/members", function (err, resp, body) {
    if (body !== "") {
    console.log(resp.request.uri.href);
    }
    });
    }, interval * i, i);;
    }



    Like the comment explain,i ran test on /groupid without backslash,with backslash and /members and /members/

    And here is the three dev group i found,i think the other one was deleted during game developpement :
    You must login or register to view this content.
    You must login or register to view this content.
    You must login or register to view this content.

    You can see only two PSN :
    mendicantca
    QAMLIVE042ps

    They seem to be some dev PSN (or maybe beta testers ?),can't look atm since my PS4 is on another room but maybe they play sometimes dev games like BO3 had "Northwood" at beta secret name.


    Seems mendi hasn't been playing games since September 2016, and QAM must be a dummy account, considering You must login or register to view this content.


    What's interesting about mendi is it seems he's an avid Destiny player -
    , You must login or register to view this content.

    Considering Destiny and COD are by the same publisher...perhaps mendi is QA?
    Last edited by Frosty ; 09-29-2017 at 06:43 AM.

  4. 09-29-2017, 07:26 AM
    Marbella's Avatar
    Marbella
    Keeper
    Marbella's Avatar
    Marbella
    Keeper
    20
    Posts
    230
    Reputation
    Feb 2017
    NextGenUpdate
    Originally Posted by Frosty View Post
    Seems mendi hasn't been playing games since September 2016, and QAM must be a dummy account, considering You must login or register to view this content.


    What's interesting about mendi is it seems he's an avid Destiny player -
    , You must login or register to view this content.

    Considering Destiny and COD are by the same publisher...perhaps mendi is QA?


    Yeah i really think he his a QA,strange thing is when QA/Beta players are invited in Treyarch they play on Devkit console.
    I will not investigate more on his PSN since he seem like a legit player who was just a Q.A.

    For the second PSN,he have only two trophys on BO3 but you can see on his profile on the API he played some MP :
    You must login or register to view this content.

    He also have "QA" on his PSN.

    I had another idea btw,i searched on other plateforms and i found some stuffs :
    You must login or register to view this content.

    His xbl tag is : dw-thc-ops3-beta

    The api seam to be broken on steam (can't find anything).

    EDIT : There is also other PSN with lower numbers like QAMLIVE041ps instead of QAMLIVE042ps

    EDIT2 : According to the trophys dates these account was tested when the game was out & for testing Zombies Chronicles i think.
    That's mean you can know when Activision is working on secret stuff like another DLC etc... Since they use these account for every games

    I know that because back when the DLC5 had leaks,a guy from Activision playtest leaked some infos but the post are deleted :
    You must login or register to view this content.

    He said he played DLC5 Beta the time around these accounts played it.
    That some pretty cool stuff!

    EDIT 3 : I wrote a miniscript who try PSN of QAMLIVE0XXps,here the list of QA testing accounts who have played BO3 :
    QAMLIVE019ps
    QAMLIVE020ps
    QAMLIVE021ps
    QAMLIVE022ps
    QAMLIVE023ps
    QAMLIVE024ps
    QAMLIVE025ps
    QAMLIVE027ps
    QAMLIVE028ps
    QAMLIVE029ps
    QAMLIVE030ps
    QAMLIVE031ps
    QAMLIVE032ps
    QAMLIVE033ps
    QAMLIVE034ps
    QAMLIVE035ps
    QAMLIVE036ps
    QAMLIVE037ps
    QAMLIVE039ps
    QAMLIVE040ps
    QAMLIVE041ps
    QAMLIVE042ps
    QAMLIVE043ps
    QAMLIVE044ps
    QAMLIVE045ps
    QAMLIVE046ps
    QAMLIVE050ps


    EDIT 4 : A little something i found,if you change the numbers of day for the "weekly recap" in IW you can increase from 7 to 10 days or decrease (maybe there is no time limit but a game limit ?) :
    You must login or register to view this content.
    Last edited by Marbella ; 09-29-2017 at 10:14 AM.

  5. The Following 2 Users Say Thank You to Marbella For This Useful Post:

    ,

  6. 09-29-2017, 04:54 PM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,462
    Posts
    310,506
    Reputation
    May 2008
    NextGenUpdate
    Originally Posted by Marbella View Post
    I will make one tomorrow. Smile

    Another strange thing,the groups ids isn't random,if you create one now you will have like the id 35000 and the next one the id 35001 etc..
    So i have done some research to see if devs have created some test groups to grab some PSN of 3arc.

    The first real group is this one :
    You must login or register to view this content.

    Which have ID 96,a strange thing is if you put a slash at the end of the link like that :
    You must login or register to view this content.

    It give you a blank page,also the majority of page id behind 96 are blank pages,but some group show them up if you put a / at the end of the link or /members so i wrote a little soft to see the dev groups.
    So i wrote some code who test for the first 100 groups id here it is :

    let request = require("request");
    let interval = 1 * 500; // Lowing the interval can get you ip banned

    for (i = 0; i < 100; i++) {
    setTimeout(function (i) {
    console.log("trying on " + i);
    // I ran the code on <groupid> with backslash,without backslash and with members,it seem like /member give the best results
    request.get("https://www.callofduty.com/api/sso/cod/title/bo3/psn/teams/"+ i + "/members", function (err, resp, body) {
    if (body !== "") {
    console.log(resp.request.uri.href);
    }
    });
    }, interval * i, i);;
    }



    Like the comment explain,i ran test on /groupid without backslash,with backslash and /members and /members/

    And here is the three dev group i found,i think the other one was deleted during game developpement :
    You must login or register to view this content.
    You must login or register to view this content.
    You must login or register to view this content.

    You can see only two PSN :
    mendicantca
    QAMLIVE042ps

    They seem to be some dev PSN (or maybe beta testers ?),can't look atm since my PS4 is on another room but maybe they play sometimes dev games like BO3 had "Northwood" at beta secret name.


    Originally Posted by Frosty View Post
    Seems mendi hasn't been playing games since September 2016, and QAM must be a dummy account, considering You must login or register to view this content.


    What's interesting about mendi is it seems he's an avid Destiny player -
    , You must login or register to view this content.

    Considering Destiny and COD are by the same publisher...perhaps mendi is QA?


    There's quite a few QAMLIVE(\d{2,3})ps accounts if you search "QAMLIVE" on the Playstation app. I checked a few and none of them show any recent activity but maybe in the next few weeks we might see some of them hop on WW2 or something.

    EDIT: Whoops, I just saw Marbella's last reply about all the accounts!
    Last edited by Tustin ; 09-29-2017 at 04:56 PM.

  7. The Following User Thanked Tustin For This Useful Post:


  8. 09-29-2017, 07:54 PM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,462
    Posts
    310,506
    Reputation
    May 2008
    NextGenUpdate
    I just got around to looking at the auth flow for the site and it's really simple. No captcha or csrf token checks at the moment. Here's a basic example of the login script:

    <?php

    $data = [
    "username" => "email@mail.com",
    "remember_me" => "true",
    "password" => "p@55w0rd"
    ];
    $curl = curl_init();
    curl_setopt_array($curl, array(
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_URL => 'https://profile.callofduty.com/do_login?new_SiteId=cod',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($data),
    CURLOPT_HTTPHEADER => [
    'Content-Type: application/x-www-form-urlencoded',
    'Cookie: AMCVS_0FB367C2524450B90A490D4C%40AdobeOrg=1; __utmt_dd8c0908a9be2688b4eb1ba01b8aabf5=1; ACT_SSO_LOCALE=en_US; ATVI_VISITOR_ID=anon-1506714328364-0.6579939320381232; __utma=229673283.1064438501.1506714327.1506714327.1506714327.1; __utmb=229673283.3.10.1506714327; __utmc=229673283; __utmz=229673283.1506714327.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); redirectUrl="https://my.callofduty.com/";SSO_REDIRECTED_AT_LOGIN="https://my.callofduty.com/";atkn=""; rtkn=""; agegate=""; country=""; mbox=check#true#1506714393|session#775b52c8450c413bb876bdec89fca133#1506716193|PC#775b52c8450c413bb876bdec89fca133.20_32#1514490333; AMCV_0FB367C2524450B90A490D4C%40AdobeOrg=1099438348%7CMCIDTS%7C17439%7CMCMID%7C07047275907769086351423327957578528689%7CMCAAMLH-1507319133%7C9%7CMCAAMB-1507319133%7CcIBAx_aQzFEHcPoEv0GwcQ%7CMCOPTOUT-1506721533s%7CNONE%7CMCAID%7CNONE%7CMCSYNCSOP%7C411-17446%7CvVersion%7C2.1.0; new_SiteId=cod; comid=cod; s_dfa=activision.prd; s_ppvl=https%253A%2F%2Fmy.callofduty.com%2Fiw%2Flogin%2C57%2C57%2C769%2C1600%2C769%2C1600%2C900%2C1%2CL; s_cc=true; s_ppv=callofduty%253Asso-callofduty%253Alogin%2C93%2C93%2C1169%2C1600%2C769%2C1600%2C900%2C1%2CL; gpv_c8=callofduty%3Asso-callofduty%3Alogin; s_nr=1506714342609-New; s_sq=%5B%5BB%5D%5D',
    ],
    CURLOPT_COOKIEJAR => realpath('cookies.txt'Winky Winky,
    CURLOPT_HEADER => true
    ));
    $resp = curl_exec($curl);
    var_dump($resp);


    I don't know what the cookie header is for, but the login will fail without it. It doesn't seem to be unique because I tried logging in multiple times using it and it worked each time. Maybe someone else can give this a try and see if it works for them too. If it works, you should see a bunch of Set-Cookie headers get output in the var_dump.
  9. 12-22-2017, 01:57 AM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,462
    Posts
    310,506
    Reputation
    May 2008
    NextGenUpdate
    I was looking around a bit more, and found something interesting:
    https://profile.callofduty.com/cod/userInfo/<base64string>

    This endpoint takes a base64 encoded string that, when decoded, gives a string in this format:
    5xxx986xxxx078xxx83:1515116063709:85xxx71742xxx42a8xxxce61dxxx4acc

    The string seems to be in this format:
    <accountID>:<login time as unix timestamp>:<some unknown md5 hash>

    I couldn't figure out what the hash is exactly. I tried username, email, and password but it doesn't seem to match those. I'm only guessing it's MD5, but it could be salted, multiple rounds of MD5, or just something else entirely. I figure if you can find out what this hash is, you can fetch the userinfo for any account you want since this endpoint isn't locked behind authentication.
  10. 12-22-2017, 02:16 AM
    Hydrogen's Avatar
    Hydrogen
    Super Mod
    Hydrogen's Avatar
    Hydrogen
    Super Mod
    5,373
    Posts
    91,890
    Reputation
    Aug 2015
    NextGenUpdate
    Originally Posted by Tustin View Post
    I was looking around a bit more, and found something interesting:
    https://profile.callofduty.com/cod/userInfo/<base64string>

    This endpoint takes a base64 encoded string that, when decoded, gives a string in this format:
    5xxx986xxxx078xxx83:1515116063709:85xxx71742xxx42a8xxxce61dxxx4acc

    The string seems to be in this format:
    <accountID>:<login time as unix timestamp>:<some unknown md5 hash>

    I couldn't figure out what the hash is exactly. I tried username, email, and password but it doesn't seem to match those. I'm only guessing it's MD5, but it could be salted, multiple rounds of MD5, or just something else entirely. I figure if you can find out what this hash is, you can fetch the userinfo for any account you want since this endpoint isn't locked behind authentication.


    Can't you just decode it with Hashcat, or it's to the point where you would need to reverse the whole thing manually?
  11. 12-22-2017, 02:19 AM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,462
    Posts
    310,506
    Reputation
    May 2008
    NextGenUpdate
    Originally Posted by Hydrogen View Post
    Can't you just decode it with Hashcat, or it's to the point where you would need to reverse the whole thing manually?

    You could try to crack it but I'm far too lazy to set all of that up. For all I know it could just be some randomly generated hash that can't be generated yourself.
  12. The Following User Thanked Tustin For This Useful Post:


  13. 12-22-2017, 02:30 AM
    Hydrogen's Avatar
    Hydrogen
    Super Mod
    Hydrogen's Avatar
    Hydrogen
    Super Mod
    5,373
    Posts
    91,890
    Reputation
    Aug 2015
    NextGenUpdate
    Originally Posted by Tustin View Post
    You could try to crack it but I'm far too lazy to set all of that up. For all I know it could just be some randomly generated hash that can't be generated yourself.


    Isn't MD5 like two to the 128th power? or something near that, lol. Eh, I have close friends from LeakBase that could try decoding it for you, not sure how'd you want to try that though.
  14. 10-10-2018, 01:20 PM
    KilioZ's Avatar
    KilioZ
    Gobble
    KilioZ's Avatar
    KilioZ
    Gobble
    1
    Posts
    10
    Reputation
    Sep 2018
    NextGenUpdate
    Hey, Black Ops 4 Stats is online !

    You must login or register to view this content.
    I look for new API on BO4 !