17

I am trying to simulate google+ button.In Somepart of code at LINK,It converts the session id into Some kinda hash.What i found is session id name is SAPISID and the converted hash name is SAPISIDHASH , Can anyone tell me which part of code does the hash part . Any help will be appreciated.i have spent 6 hours straight , still no clue :(

For Example VUOyLIU22fNPz2ko/AbGsxW03_WHoGjaJq is SAPISID and f17aa630b9b9a105dad437b0fedcafe429f6fca2 is SAPISIDHASH . In php i tried all kind of hash..nothing matches.

Improve this question
4
  • The hash is 40 chars of hex digits, so it's probably a SHA-1 hash of some data. Exactly what data is anybody's guess... Commented Jun 3, 2013 at 23:21
  • Not only is it anybody's guess... but it meant they went out of their way to make sure nobody would be able to guess it. Commented Jun 3, 2013 at 23:23
  • ripemd160 also 40 characters.. i have tried all the hash.. the code does some symbol replace i guess.. so need to find what it does Commented Jun 3, 2013 at 23:24
  • ... hunting this duck as well Commented Aug 17, 2015 at 17:26

4 Answers 4

Reset to default
53

VICTORY! Well for me at least 😛. The SAPISIDHASH I was looking for was the one in the API console. Automation for rather large job, totally legitimate. The one I found was a SHA1 on the current JavaScript milliseconds timestamp plus your current SAPISID from your cookie plus the domain origin. In order for my request to work I had to include the following headers in the request:

Authorization:SAPISIDHASH 1439879298823_<hidden sha1 hash value>

and:

X-Origin:https://console.developers.google.com

The first header I assume tells the server your timestamp and your SHA1 value. The second (breaks if you don't include it) tells it the origin to use in the SHA1 algorithm. I found the algorithm by digging through and debugging the hell out of tons of minified JS NOTE there are spaces appended between the values. The psuedo code is basically:

sha1(new Date().getTime() + ' ' + SAPISID + ' ' + origin);

That is at least how I got my SAPISIDHASH value in my use case here in 2015 (few years later I know)... different from yours but maybe I will help some other young good hacker out there one day.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

If you want to laugh, new Creator Manager seems to use also SAPISIDHASH : Another challenge if you want ^^
Thanks, you're the best. I got the same resolution with a differente API
Thank you so much! It worked! Python: sha1(' '.join([str(int(time.time())), cookie['SAPISID'].coded_value, 'https://subdomain.google.com']).encode()).hexdigest()
How do people figure out stuff like that? Lol
8

All credits to Dave Thomas.

I just want to clarify that for the X-Origin, or Origin, you do not include the "X-Origin:" or "Origin:"

Here is one example :

public class SAPISIDHASH {

    public static void main(String [] args) {

        String sapisid = "b4qUZKO4943exo9W/AmP2OAZLWGDwTsuh1";
        String origin = "https://hangouts.google.com";
        String sapisidhash = "1447033700279" + " " + sapisid + " " + origin;
        System.out.println("SAPISID:\n"+ hashString(sapisidhash));
        System.out.println("Expecting:");
        System.out.println("38cb670a2eaa2aca37edf07293150865121275cd");

    }

    private static String hashString(String password)
    {
        String sha1 = "";
        try
        {
            MessageDigest crypt = MessageDigest.getInstance("SHA-1");
            crypt.reset();
            crypt.update(password.getBytes("UTF-8"));
            sha1 = byteToHex(crypt.digest());
        }
        catch(NoSuchAlgorithmException e)
        {
            e.printStackTrace();
        }
        catch(UnsupportedEncodingException e)
        {
            e.printStackTrace();
        }
        return sha1;
    }

    private static String byteToHex(final byte[] hash)
    {
        Formatter formatter = new Formatter();
        for (byte b : hash)
        {
            formatter.format("%02x", b);
        }
        String result = formatter.toString();
        formatter.close();
        return result;
    }
}

source for sha1 in Java : Java String to SHA1

Improve this answer

Comments

1

This works in 2024 for youtube (js with Deno runtime)

const now = new Date();
const origin = "https://studio.youtube.com";
const timems = now.getTime() + (now.getTimezoneOffset() * 60 * 1000)
const timesec = Math.round(timems / 1000);
const SAPISID = cookieArray['SAPISID']; // you should know how to get it
const newHash = timesec + '_' + sha1(timesec + ' ' + SAPISID + ' ' + origin, "utf8", "hex"); // this sha1 function is from deno package but you can use any other from the samples above
SAPISIDHASH = newHash; // 1704658177_78eb913fea82472cd726b118c51a6071f9d794f3

I use sha1 from deno but you can use any other realization for sha1 from samples above.

Improve this answer

Comments

1

Today I also researched this latest calculation method, and the previous answers have already expired.

It has added a parameter "datasyncId" related to user login, which only requires searching for "datasyncId" or "DATASYNC ID" on the login page. It needs to take the second parameter for calculation.

datasyncId = "10438XXXXXXXXXXXXXXX2||10510XXXXXXXXXXXXXXX7"
timesec = str(int(time.time()))
SAPISID = "" # from cookies
origin = "https://studio.youtube.com"
hash = datasyncId.split("||")[1] + ' ' + timesec + ' ' + SAPISID + ' ' + origin
SAPISIDHASH = timesec + '_' + hashlib.sha1(hash.encode('utf-8')).digest().hex() + '_u'
Improve this answer

1 Comment

Alternatively to retrieve datasyncId, the first "XXXXXXXXXXXXXXXXXXXXX||XXXXXXXXXXXXXXXXXXXXX" in the response of youtube.com/getDatasyncIdsEndpoint request when loading youtube.com works fine. It seems that you are the only Internet post mentioning this new hash component, how have you found it out?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.