Edit 2 5/11/2018: I’ve been trying into it extra, and I consider that this isn’t in truth a difficulty in any respect which I’m very pleased about. I’m nonetheless confused about why ftdna informed me in any other case, and it might be that you’re technically nonetheless not supposed to make use of it, however I am actually unsure presently. Particular due to the nameless commenter for clearing issues up!
Notice: I really wrote this all the best way again on March twelfth. I had notified FTDNA of the truth that their API was accessible by the general public even earlier than that. I’m publishing this now as a result of I really feel it’s my proper/responsibility. They made the choice to not repair it or notify the general public that they’ll use the API, so I believe that any individual ought to. I am hoping that this put up will maybe increase consciousness about this and make FTDNA make a definitive alternative about whether or not they need their API to be publicly out there (which I personally suppose can be incredible).
Goal
This doc will serve to elucidate the method by way of which I discovered a safety vulnerability within the FTDNA net API, in addition to the method I went by way of in reporting mentioned vulnerability and what I’d have accomplished otherwise if given the possibility.
Definitions
Some firm names and phrases used on this doc will undoubtedly be unfamiliar to these studying it. This part will serve to make clear mentioned phrases.
Firm Names
FTDNA: Quick for Household Tree DNA. They’re estimated to have DNA examined about 850k people making them one of the vital standard DNA testing firms at the moment. I’ve examined 6 folks right here together with myself.
Technical phrases
API: Quick for Software Programming Interface. Permits applications to ship requests to servers and obtain responses again. As an example right here is an api that when queried (one other phrase for sending a request) will put random animated cats in your web site: http://thecatapi.com/
HTTP GET and POST: GET and POST are HTTP strategies, which means that you should utilize them with the Hypertext Switch Protocol to work together not directly with no matter is utilizing HTTP. GET will request knowledge from a supply (resembling our API) and Submit will ship knowledge to the supply to be processed not directly.
DLL: quick for Dynamic-Hyperlink Library. .dll information maintain the code and procedures required by Home windows applications.
Variable: In programming, a variable is a bit of textual content assigned to a price. If a variable shouldn’t be assigned to a price however is used elsewhere in this system it may be anticipated that an error will likely be returned.
Object: In .internet programming, it is a block of reminiscence that has been reserved for one thing. It’s essential to notice that they are often saved in variables.
Plaintext: Human readable strings that make use of the conventional alphabet
JSON: Quick for JavaScript Object Notation, it’s a format commonplace used for structuring knowledge to be used between totally different functions.
Instruments and Purposes
Postman: Postman is an app for api growth. A part of API growth is testing, so it additionally has the helpful performance of permitting you to ship GET and POST requests amongst different issues.
Job Supervisor: Home windows utility for monitoring processes, companies, and functions.
DNAGedcom Shopper: a software which can be utilized to collect and analyze DNA knowledge from genetic testing firms.
The Preliminary Drawback
I observed that I used to be getting a distant server connection error when utilizing DNA gedcom at residence. I examined it out on my faculty’s community and was capable of accumulate the information I needed. That made me understand that this was an issue with my residence community. After attempting quite a lot of options (together with contacting DNAGedcom’s tech help) I used to be about prepared to surrender. I made a decision to attempt one last item although earlier than I did.
Taking a look at DNAGedcom’s Information
The next are the steps I took trying to view DNAGedcom’s most important utility information:
- Looked for “DNAGedcom” within the search bar within the Home windows 10 taskbar
- Proper clicked the DNAgedcom file that popped up and chosen “open file location”
| The applying reference file location |
- Was led to an utility reference file (proven above). Usually you possibly can excellent click on this and choose ‘open file location’ however with this one, it didn’t have that.
 |
| Open file location in Job Supervisor |
- I opened process supervisor, chosen open file location, and was directed to DNAGedcom’s precise information
The DLL
 |
| DNAGedcom’s most important information |
You’ll be able to see right here I’ve one file highlighted particularly, that being “DNAGedcom.Shared.FTDNA.dll” . I assumed to myself, properly that may have some helpful info that will pertain to what’s going mistaken. So I opened it in notepad++ and was greeted by this:
All these black characters are non-ASCII.
But when I scroll down all the best way to the underside, you possibly can see they saved the api queries within the dll as plaintext. I might have additionally used the Linux ‘strings’ command on the file to search out all ASCII textual content, however figured this was quicker than firing up a VM. Highlighted beneath are the get requests the appliance used to question the API (discover the GET strategies).
Messing With The API
I attempted the primary hyperlink I noticed in google like so:
https://www.familytreedna.com/my/family-finder-api/profile?kitNums=B22932&kitNums=B24666&kitNums=B24676
This led me to a login display screen. After I tried to log in I bought the identical error I used to be getting earlier than, which informed me that it was possible this hyperlink that was inflicting my connectivity issues not directly. I nonetheless haven’t discovered how one can repair it however I did find yourself discovering out quite a lot of different stuff. So I attempted the subsequent hyperlink:
This hyperlink really returned an error, however the error was descriptive sufficient I used to be capable of repair it:
The error, particularly, is “Object reference not set to occasion of an object”. Effectively, that is a straightforward repair. Objects are tied to variables and that should imply that there’s a variable within the API reference that must be set. So I broke down the URL like so:
https://www.familytreedna.com/my/family-finder-api/matches?filter3rdParty=false&filterId=0&web page=DGPAGE&pageSize=DGSIZE&selectedBucket=0&sortDirection=desc&sortField=relationshipPercentage()&trial=0
yellow: Principal API URL
Pink: Specifies most important sort of information to get (match listing)
Gentle Blue: Variables assigned to values
Brilliant Blue: Variables not assigned to values (simply different variables)
Crimson: Ampersands separating variables from each other
The Brilliant blue values are those I want to alter as a result of its variables are inflicting errors. After some messing round placing the URL in my browser I discover that the DGPAGE specified which web page of matches to start out on. I set this to 1. I additionally discovered that the variable DGSIZE was consultant of the variety of folks the API would give info for.
Utilizing Postman
I needed to attempt to output the knowledge of an enormous variety of folks, which might be quickest if accomplished with a direct GET request. So I opened up postman, put within the new URL, and acquired over 160k traces of match associated knowledge for over 4,000 folks totally free as properly formatted JSON Knowledge. This isn’t really an enormous downside privacy-wise, however it’s dangerous for FTDNA as if a lot of folks have been to make use of it it might be an enormous server load for which they’d make no cash off of. Notice that you would be able to solely get knowledge on the matches for the package you’re logged in to, so its issues that you would get concerning the folks in any case on the primary match web page, simply with a lot better formatting.
Initiating Contact
At this level I spotted one thing may not be fairly proper. I assumed that it might be cool to maintain utilizing the API, however I talked to a couple mates and so they prompt I contact ftdna simply in case. So I contacted ftdna by way of their fb web page (e-mail would have taken longer):
So I despatched them a write-up, they thanked me and mentioned they’d get it mounted as quickly as doable.
What I Would Have Finished In another way
After the actual fact, I spotted I ought to have contacted them instantly as an alternative of ready a number of days. Typically firms aren’t particularly pleased when folks mess with issues they aren’t speculated to and it might have ended badly if this have been a bigger subject or if I someway occurred upon info I shouldn’t have. Nonetheless, FTDNA did not find yourself fixing it even a number of months afterward in any case. Additionally, I’d have made a bigger effort to concentrate on the problem I used to be having which I nonetheless haven’t discovered.
#FTDNAs #API
