question

Tahir avatar image
Tahir asked

Hacker, is it possible for a hacker to submit data to any user via PlayFabClientAPI.UpdateUserData

My game currently has a very mischievous person assaulting it.

So a few questions.

Can someone modify data of other users via PlayFabClientAPI, specifically UpdateUserData?

If they can indeed make user of UpdateUserData, Couldn't they execute cloud scripts as well and thus utilize functions like UpdateUserReadOnly ?

Recently, one of my users user data was modified so I am wondering what scenarios could cause this event.

Player Data
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

The Client/UpdateUserData call doesn't even take a PlayFab ID as input - it can only be used to modify the data of the signed-in user.

I'm not clear on your second question, though. The Client can make calls to ExecuteCloudScript if you haven't turned that off (via the API Policy). Cloud Script only runs the code you put in it, and you should always use good security processes to check what you can of their inputs, since a hacked client could pass whatever it wanted to as arguments to the Cloud Script.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Tahir avatar image Tahir commented ·

It seemed to have been an issue of the player's login details being used. Apologies, it threw me off a bit as well but seeing as they were so sure that wasn't the case, I just needed to confirm. Especially since we've been dealing with a malicious user.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.