Accessing SCA Member Information

For reasons discussed here previously, I was curious as to how complex it might be to programmatically access member data from the SCA’s new member portal.

It turns out the switch from MembersOnly to NeonOne has made this dramatically easier, and we can access member data in just a few lines of Python without scripting Chrome or hand-crafting any RPC calls.

#!python3

import sys
import requests

session = requests.Session()

r = session.post(
    'https://sca.app.neoncrm.com/np/security/signIn.do', 
    data={ 'loginName': sys.argv[1], 'loginPassword': sys.argv[2] } )

r = session.get(
    'https://sca.app.neoncrm.com/nx/portal/constituent/accountProfile', 
    allow_redirects=False )

if ( r.status_code != 200 ):
    print( f'Login failed: {r.status_code}' )
else:
    print( r.text )

This script can be invoked on the command line, using your SCA member portal username and password, and outputs some member information.

$ python3 sca-check-membership.py mcavalletto my-secret-password
{"id":"96500","name":"Matthew Simon Cavalletto",...}

Obviously, using this script doesn’t create or exploit any security vulnerabilities, and it doesn’t allow you to access anyone else’s information other than your own — it merely automates some of the interactions that a person would routinely do in their web browser, in a way that allows the information to be used by software without having to manually copy-and-paste it.

Nonetheless, this is exactly the same functionality as the code which Brian De Moray was sanctioned for even discussing (and he didn’t post his sample code until after the server he was accessing had been decommissioned).

If the logic of Brian’s sanction was coherent, posting this tiny script would mean that the Board of Directors should immediately sanction me as well — but of course that would be a ridiculous injustice, for which they would be soundly mocked, as this code doesn’t do anything illicit.

I hope that this will instead help the Board understand the error that was made three years ago, and encourage them to reverse and expunge Brian’s sanction, and issue him an apology as I have previously urged.

[Update:] I’ve shared this to Facebook, to the webministry, and to Society leadership, in that order… but I haven’t followed the “established procedures for identifying and reporting vulnerabilities” because three years later the SCA still doesn’t have any such procedures.

One thought on “Accessing SCA Member Information”

Leave a Reply

Your email address will not be published. Required fields are marked *