Unknown new player accounts that appear to be calling my cloudscript.

Question

question

Priscilla Bushko asked Jul 31, '19

Unknown new player accounts that appear to be calling my cloudscript.

My application is in an internal testing state and is only available to either people with the file or those who have been added into my internal testing track. However, there have been several new accounts that have been created and logged into today that I am not able to recognize. I know that they are not my login attempts, and I have reason to believe that they are calling my cloudscript since the client cannot post player statistics and the only way they are posted is through my cloudscript. This account has player statistics, which is not possible just from making a new player account. I can see in the player event history that they are calling my cloudscript that updates the player statistics multiple times, which none of this is normal on any other account.

While I do allow the client to update their display name, only some of them had them, and they were all strange names, like "text", "textq", " l l ", etc.

What could be happening here and what can I do to prevent these random accounts from appearing?

Leaderboards and Statistics

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2019-07-31T10:01:54Z

Sarah Zhang answered Jul 31, '19

Could you please provide these playerIds? So we can try to investigate it.

Theoretically, it is possible that someone inputs the incorrect title Id when using client APIs. For example, LoginWithCustomID only needs title ID to login in. You can try to forbid it in API Policy.

Are you sure they updated statistics via CloudScript? You can add write events functions in your CloudScript code to track calls. If you want to prevent these calls, you also can add some anti-cheating mechanisms to your game.

4

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Priscilla Bushko commented · Jul 31, 2019 at 05:33 PM

I deleted all of the accounts yesterday since I figured it could have just been something random, but I only posted this after I saw another random account with the same ip address pop up after I deleted the others. This is currently the only random account ID I have: CE71A9724ECB64B1. I can see in their player event history that they called the CloudScript.

You say to add anit-cheating mechanisms, but how would I prevent calls to my CloudScript that aren't from my code? I want players to be able to call the CloudScript function, but maybe the name of the function was too generic and whoever made an account just happened to guess it?

0 ·

Sarah Zhang Priscilla Bushko commented · Aug 01, 2019 at 06:49 AM

OK, we will inform our team about it. In addition, The anti-cheating that we said is data tier anti-cheating. If you don't want this IP to continue logging in your title. You can ban it via Admin/Server API BanUsers. Setting API policy also can help prevent simple logins. If you want some suggestions about data tier anti-cheating. You can add a verification function to your CloudScript code. For example, manually put your test accounts to a segment, prevent players who are not in this segment from calling functions. Or let your accounts send encrypted information to CloudScript for verification. However, if you want to make anti-cheating mechanisms for commercial games, it will be more complicated.

0 ·

Priscilla Bushko Sarah Zhang commented · Aug 14, 2019 at 08:21 PM

Hello again, I just wanted to follow up about this again. Today, there have been many more of these random accounts that have popped up, still calling CloudScript. I haven't been able to implement anything to prevent random accounts from calling it yet, but I figured I should report all of these so that hopefully this can be resolved since I don't know how else to report this strange behavior. Here are all the player IDs, still from about the same IP address as before:

Is there any update on where these are coming from?

0 ·