question

paulwulff avatar image
paulwulff asked

Client is able to access sensitive profile information via GetFriendsList

Hi,

I've run into a potential bug regarding the retrieval of profile information using the GetFriendsList method.

For testing purposes, I created a GetFriendsListRequest like this:

new PlayFab.ClientModels.GetFriendsListRequest
                {
                    ProfileConstraints = new PlayerProfileViewConstraints
                    {
                        ShowAvatarUrl = true,
                        ShowDisplayName = true,
                        ShowLastLogin = true,
                        ShowTags = true,
                        ShowLinkedAccounts = true,
                        ShowContactEmailAddresses = true,
                    },
                    IncludeFacebookFriends = true,
                    IncludeSteamFriends = false
                };

and on my title, I set the client profile to this (disabled all information)

... and yet, the GetFriendsListResult contains all requested information like Display Name, Last Login, Linked Accounts, etc. According to the documentation, having these boxes unchecked should prevent the client from retrieving said information, even if it's requested in the ProfileConstraints.

Interestingly, this issue appears to be related specifically to GetFriendsList: I was also using GetLeaderboard with similar ProfileConstraints, and got the expected error "Invalid view constraints" there.

apisFriends
unbenannt.png (34.6 KiB)
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
jital avatar image
jital answered

Thank you for bringing this to our attention, a bug will be filed for this.

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Canberk Soner avatar image Canberk Soner commented ·

Hello,

Any rough ETA on this? We can't go live with this (for example, it allows people to steal their friend's guest accounts through device ids). A workaround I thought of is moving all our getfriends logic to cloudscript and disabling client/getfriends calls through access policy xml, but I'd like to avoid that extra work if there is a chance of this issue getting fixed in near future.

0 Likes 0 ·
franklinchen avatar image franklinchen Canberk Soner commented ·

Hi @canberksoner, this bug is fixed now, I just verified that the Client Profile settings take effect in the GetFriendsList API now

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.