Yesterday, all of sudden when players tried to login in duration at night their accounts get spammed by 3 or 4 banned that saying reason is "Automatic ban from playfab".
Plus from few times, some players that enter the game some of their user title data get auto edited follow that after few days some of title data get edited to weird format or just bug out that string that read inside client is broken.
What is the reason for that?
I cannot reproduce any issue you mentioned, could you please check your title audit history and see if there is some stranger editing your title? If so, I suggest you change your password and refresh your developer secret keys. Please also check if there is anything weird in your Studio’s Roles and Users.
If there is no issue in your title audit history, nor in your Studio’s Roles and Users, please check the following things:
If you have used BanUsers API in your Cloud Script
If you have mis-used UpdateUserData API in your Client side that updates incorrect format of data to the game. Please also note that malicious users can directly call the UpdateUserData API without starting your game, and easily change the format of data. I suggest you use read-only data to store the data and use Cloud Script to validate the format of data before updating the read-only data.
Hello Rick, Thank you for this feedback.
We already changed the secret key twice so far within a duration of month.
My question here is, how it possible for any API that even if done from client or azure or even the legcay cloud script to affect over 100 players at same time?
If so, how they would gather data for over 100 player ? Knowing their no segments or tasks that was fired during that time on the title.
If so, there way to call direct cloudscript HTTP requests outside playfab ? If so how can I check it ? I know azure is locked out of this part and won't do that headache for us if no one got access to it
If the attacker has the developer secret key, they can call all the server API and admin API (pretty much everything). They can get players in segments/leaderboards through admin/server APIs. And they can ban any user they want with any reason. So it is very important to keep your developer secret key safe.
Usually CloudScript can be called with client. The Cloud Script is designed for enabling the client to call server APIs with your defined rules. If you do not intent to let client to call a server API, please do not write it on your Cloud Script. When calling Cloud Script from client, you can set the "GeneratePlayStreamEvent" parameter to true so that you can search the relevant events about this call. However, the attacker can just set it to false so that it won't generate any StreamEvent.
That what actually happen, so the issue here lay on the part how they was able to alt the user title data.
Cause we changed the secret key before, and there was exposed banned feature in cloudscript which mostly used from client. But that ban feature went over players, my assume here this players was gathered from leaderboard since leaderboard does give you up to 100 player.
And even now the contact us support part is broken, the whole title is acting up at this point and even some formats params keep breaking down from time to time
22 People are following this question.
