Is pentesting allowed and if so what are the rules?

Hey, I would like to do some pentesting on your website and thought it would be better If I asked for permission first. not looking for bounties here :slight_smile:

I am not gonna be doing any brute-forcing or DDoS-ing of any kind or do anything to disrupt your service or your server.

what domains are not in the scopes we are allowed to test?

also what email can I send to if I find anything? (as I will not be disclosing any findings publicly for sure )


We are in the middle of setting up a bug bounty program as part of Snap so you may want to wait until then? Should be done by the end of the year.

Otherwise send any findings to :slight_smile: In theory, it should all be fair game :sweat_smile:

CC’ing @yak32 FYI


I already found some extreme glitches like duplicating game listings and getting like 10 plays per minute but that was over a year ago and I didnt really care that much.

just tested now and both glitches still work so lol found a way to literally get millions of plays if desired. in fact ima make a glitch test project just to see how high I can get it.

So within the span of exactly one hour I created a project, set up the exploit, and got a total of 405 plays. Including the fact I spent some of that time creating and setting up properly, and time spent trying to figure out how exactly I did it before, thats around 500 plays per hour. Meaning in a 24 hour period the project would have 12,000 plays. If a macro was set up (yes this is easily macroable), at a rate of exactly 500 plays per hour the project would reach one million plays in 83 days. This could possibly be even shorter if more instances are created, or the macro is optimized beyond even what I could to manually.

To put this into perspective the lowest number of plays on the highest page of the plays list has 64,938 plays on it (the game is Galaxies: combat). That means it would be only 6 days of macro to get any project you want to on the top page of plays. Even without a macro this is still very doable manually like I did. Yes it would take a lot of mind numbing repetitive actions over around 2 weeks but still completely doable.

Yes a nothing project created a week ago with tens of thousands of plays could easily be identified and removed, but this exploit works with literally every project. My project has 405 plays with only 6 views. Thats obviously illegitimate but combine it with a view gain glitch (yes that exists also and is even easier) and any somewhat decent looking project could easily just become suddenly popular and it would be practically impossible to know if the plays are legitimate or not. This makes not only plays but also views completely meaningless as any dedicated person working on any project could just manually generate 10,000 plays in about 3 days without a single other person even knowing it exists.

This is absolutely insane for many reasons. There are a dozen things you can do with this information and none of them are good, at least not for the playcanvas company. Someone could join a project with other people and generate thousands of plays without them even knowing and there isnt really any way to prove who did it. In fact now that I think about it multiple people could manually generate plays together and absolutely fractionalize the time required to reach absurd play counts. As far as I know its not really possible to show where the plays came from, and even if it was possible it wouldnt really help.

To conclude my extremely long experiment recap, any person can do this for any reason on any project at any time for any amount, and as long as they dont straight up admit to it there is zero way to prove what happened. Im not going to explain how the glitch works, at least not yet. But considering I first found this glitch way over a year ago and it still works the exact same today doesnt look good on the ability to patch it. I do have many ideas of how it could be patched but in my opinion as long as nobody knows how it works ill keep it to myself.

@ALUCARD Can you send details of exploit over to please?

I need to run some more tests. Im going to run a macro and just leave it for a while to see if my theory is correct.



END 2:33 PM


OBSERVATIONS: The macro was quite unoptimized and slow. At one point I had to spend around 10 minutes fixing it and there were a few minutes of downtime. Macro requires improved efficiency.

RESULT: Not impressed but not disappointed either. Extremely mediocre result.

Gonna run a second test and see how the improvements go



END 3:50 PM
1,177 PLAYS


OBSERVATIONS: Much better. In fact, more than I could achieve manually. Still thinking of improvements but not much left to improve. Perhaps I will leave it running overnight just to see how far this can go.

RESULT: Very satisfied.

Third experiment. Leaving the macro on for multiple hours

START: 4:00 PM

END 5:00 AM
6,601 PLAYS

GAIN RATE: 5,424 (417.230769 PER HOUR)

OBSERVATIONS: This is just dumb at this point. Plays are now completely meaningless.

RESULT: Insane.