question

Kim Strasser avatar image
Kim Strasser asked

When is my cloud script code exposed and vulnerable to hackers?

When is my cloud script code exposed to hackers?

I found this answer but I don't understand the difference between a function that is exposed and a function that is not exposed.

"Players can can only call CloudScript methods attached to the handlers JavaScript object. So, if you didn't expose your function with handlers object then hackers also can not invoke that function."

https://community.playfab.com/questions/37604/can-a-hacker-invoke-normal-js-functions-in-cloud-s.html

How can I find out if my functions are exposed and vulnerable to hackers?

For example, I call AddGoldCoins in my client code with PlayFabClientAPI.ExecuteCloudScript. Is this cloud script code exposed or not? If yes, how could I change the code in order to protect it from hackers?

handlers.AddGoldCoins = function (args, context)
{
    if (args.rewardType == "Bronze")
    {
      server.AddUserVirtualCurrency({PlayFabID: currentPlayerId, VirtualCurrency: "GO", Amount: "100"});
    }
    if (args.rewardType == "Silver")
    {
      server.AddUserVirtualCurrency({PlayFabID: currentPlayerId, VirtualCurrency: "GO", Amount: "200"});
    }
    if (args.rewardType == "Gold")
    {
      server.AddUserVirtualCurrency({PlayFabID: currentPlayerId, VirtualCurrency: "GO", Amount: "500"});
    }
    return {messageValue: "added reward"};
}
CloudScript
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

In future, I'd recommend posting your follow-up questions to the same thread, so that all the info is in one place. What the other thread was highlighting was that you make a function available to be run via ExecuteCloudScript by making it a handler in your script.

Your question is how to prevent that handler from being called by anything except your code. That is not technically possible. There is no mechanism by which any Web API service can verify whether or not the call is being made by a hacked source, as the identification and security mechanisms are all (by necessity) exposed to the client. So, SSL largely prevents man-in-the-middle attacks, but you cannot trust the client to tell the truth. I would recommend reading some of the threads we've had on security in general, so that you can get an idea of how best to deal with this:

https://community.playfab.com/questions/3917/whats-to-stop-some-else-from-using-my-titleid.html https://community.playfab.com/questions/22238/playfab-client-api-security-with-unity-sdk.html

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.