question

george@thenuum.com avatar image
george@thenuum.com asked

Custom ID account spams

Is there a way to completely prevent Custom ID accounts from being created? Lets say I have no code that calls createAccount wiht custom ID. I only have create playfab account method. I believe a hacker can call the custom ID function from Playfab regardless of what I have in unity.

I am not entirely sure what hackers do, but we recieved one of these attacks recently. We had 100k+ accounts created from all over the world and from all kinds of devices. These seem to happen to popular VR and non VR games that use playfab. The hackers seem to be used to doing this to playfab games.

Do hackers need the game to be running in order to spam the calls? Or do they automate a bot, to create an account somewhere and make the api call? Our code for oculus check for entitlement. If the entitltement doesn't go through, the app is shutds down. If they have a bot they can create accounts in a split second.

So for the sake of making it harder. Is there a way to cancel ALL custom ID accounts? On playfab manager? Could I select to never accept custom ID account creation? Because this is really chaotic. Having playfab be at the mercy of these hacks. I wouldn't mind the email spam.Because is limited to emails.

Player DataAccount Managementmultiplayer
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Gosen Gao avatar image
Gosen Gao answered

The hackers can make Api calls as long as they know the title id. You can use API access policy to disable the APIs you are not using, such as Login With Custom ID. 

 {
       "Resource": "pfrn:api--/Client/LoginWithCustomID",
       "Action": "*",
       "Effect": "Deny",
       "Principal": "*",
       "Comment": "Deny client access to LoginWithCustomID"
 }
2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

george@thenuum.com avatar image george@thenuum.com commented ·

Would it be possible to Deny new account creations but allow login for existing accounts?

0 Likes 0 ·
Gosen Gao avatar image Gosen Gao george@thenuum.com commented ·

It's not supported because account creation is controlled by the parameter "CreateAccount" and you can't reject an API call with a specific parameter.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.