-3

hey guys i have written a small webservice which allows users of a company (lets call it xyz) to login to xyz's website remotely via my iphone app (without ever going on xyz's official website to login)

after logging these users programatically to xyz's website, i can allow my users to do many authenticated tasks xyz offers

since xyz does not offer apis for this i was forced to hijack xyz's login cookies from my webservice to allow users to use all the authenticated features

at no point of time am i saving xyz users username or password and use https for my webservice to ensure safety n security of users

however i have got an email from xyz asking me to shut down my webservice otherwise face legal action. if i do that my users would be very unhappy to loose so many cool features of my iphone app

i wanted to know the best way to host my webservice on some offshore server which has elastic / dynamic ip addresses with completely different patters (so xyz cant block a particular range of ips or even domain names)

i have heard amazon provides elastic ips - can they be used for such scenario

or can someone help me come out with a better solution

webservice is asp.net 3.5 based

Raj
  • 103
  • 4
  • So you want us to help you do something that you've already been told to cease on threat of legal action?? No thanks. -1 – squillman Aug 06 '10 at 12:35
  • its not illegal :-) lets look at it this way - its in a way similar to a twitter client - only difference twitter has official apis where as xyz does not provide any apis... illegal would be to misuse users credentials or hack their passwords – Raj Aug 06 '10 at 12:37
  • If they are threatening legal action then obviously they think that you are violating their terms and that is illegal. – squillman Aug 06 '10 at 12:51
  • have you not asked them to produce an API? – JamesK Aug 06 '10 at 12:52
  • Have you just tried asking them nicely for an API? Or even talking with them before embarking on what is sure to cause all kinds of useless drama? Amazing what you can do with honey instead of vinegar.... – Avery Payne Aug 06 '10 at 17:27
  • my dear friends - i have literally begged to them for apis but they just dont want to provide... they allow other guys to do exactly what we are doing... but just because we are big in size they dont want to allow us to do that... its SIMILAR to how APPLE screws google apps on the iphone app store but allows other small time guys to offer the same functionality – Raj Aug 07 '10 at 08:30

1 Answers1

1

Let me see if I have this right. You built an app that not only sits in the middle of an authenticated connection, but authorizes the connection also? Sounds to me like a keylogger. Then you're asking us how to circumvent the law?

illegal would be to misuse users credentials or hack their passwords

So based on you just saying that you're not misusing peoples passwords, they should believe you? And on top of having their userids and passwords, you'll have everything they type into your app (including "authenticated tasks") on your end. You don't have XYZs permissions to be a middle-man, so stop. What you're doing is not only unethical, it's illegal...

I'm willing to bet that most of us Sys Admins spend a lot of time and effort making sure our companies FOLLOW the law. While I'm also sure a good deal of us spend time "hacking" in order to learn, I don't believe that you're asking the right group of folks to help you out.

GregD
  • 8,713
  • 1
  • 23
  • 35