The QLM web service api provides a command to create activation keys. It seems that this api call is not protected.
A request like this:
<your qlm web service url>/qlm/qlmservice.asmx/GetActivationKey?is_productid=1&is_majorversion=1&is_minorversion=0&is_qlmversion=5.0.00
will return a fresh, valid activation key in plain text. No kind of authentication seems to be necessary. Therefore anyone who knows the server url would be able to create an activation key, and use this key to unlock our application.
Is there a way to protect this api call?
I'm using Soraco's in-house QLM web hosting, and I followed all instructions in the e-mail that I received after purchase to the best of my knowledge.
Please sign in to leave a comment.