unblock-us and security
Nov 18, 2014
2 minutes read

Unblock-us, in a nutshell, is a service that allows you access the blocked content on your country by proxying the connection through other countries via a custom DNS server. It’s so simple and useful that I cannot think a reason not to pay $4.99 per month (yes, I’m also too lazy for the alternatives).

But one thing that always bothered me was the lack of options, besides browsing the site, to switch countries and to re-activate the service. The site solves this well since it’s mobile friendly and it worked fine for me for some time, but why not simply do it via command line?!

After a little inspection, I found the urls that I needed and started testing the status/activation endpoint, but the requests wasn’t sending any parameters other than a timestamp and a callback:

parameters

Looking at the headers I saw this (the value is my email encoded):

cookie loco

A plain-text cookie based authentication?! Could it be? Testing with curl was easy enough to check it.

curl http://check.unblock-us.com/get-status.php --cookie _stored_email_=$my_email

And it worked. I built a client in Go as an experiment to use it:

https://github.com/mvrilo/unblockus

Unfortunately, it also means that basically you can use anyone’s account if you know the email. If you are a little paranoic like me, I would recommend you to at least change your email to a not so well known, or if you use gmail you could hide it using the plus sign or dots.

EDIT

Due to the simplicity of the requests and my need to have something casual on my Raspberry Pi, I ended up writing a shell script that do same job, synchronously.

See it here.