PicoPico Maker is a mobile platformer game in which the users can make levels and publish them.Level data is sent through an HTTP POST request to piko77.com/api_ver3/send_game_data_ver3.php. After sending it, an id and a web page are attributed to the level.It is really easy to send arbitrary level data and bypass the required level completion (it's mandatory to finish a level before publishing it).But that's not all: the thumbnail which appears on the level's web page is also sent through this request, though I don't see the point of that. It is therefore possible to put a custom one.Here is an example arbitrary thumbnail:https://piko77.com/en/game.php?id=f60790b7c63384fe7a470e1b4ec01817
Here is the script used to send it:https://paste.c-net.org/HostedPlaymateThe id of the sent level is in the "hash=" field of the server's response.
>>101568981This is cool but a bit too much work.Also it requires one to install an app from the store.
