question

glen avatar image
glen asked

What's to stop some else from using my TitleID?

I've noticed that there don't seem to be any security measures to prevent someone from using my TitleID without my application. I know there is an API secret key, but I don't see it integrated anywhere, nothing in Unity references it, and I certainly hope it's not retrieved from a login call as the login call only needs the TitleID.

A 4 character TitleID on it's own seem quite unsafe, not to mention that the only way I've found to use that TitleID is by hardcoding it. And we all know that is not safe. My overall concern here is that the PlayFab system seems incredibly unsafe and easily accessible by even the most novice hackers.

For clairity, I'm using PlayFab for Unity via the Unity Package.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Joshua Strunk avatar image
Joshua Strunk answered

The TitleID defines the endpoint for all of your ClientAPI calls so by its very nature the Client and everyone who wants to use your app has to know it. Think of the TitleId like you would a url for your company website. With only the TitleId the worst a would be hacker could do is ddos your title and that is an unavoidable risk with any web based product and hopefully one of the benefits of using PlayFab is they have systems in place to mitigate these sorts of attacks.

The secret key on the other hand is used by the ServerAPI and the AdminAPI and you should never package these in a front facing build for your game as the only way to use them is with a secret key and if you ship a build of your game with the secret key in it(even in compiled source code) you compromise your title's security.

edit 1: To answer the title question "What's to stop someone else from using my TitleId?" Nothing

10 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan avatar image brendan commented ·

Correct, there are multiple protections against DDoS-type behaviors, including (at the highest level) the existing AWS protections. @glen, it sounds like you have a targeted concern. Is there a specific scenario you have in mind?

1 Like 1 ·
glen avatar image glen commented ·

I realize there is no 100% protection, but here's an example of something that could happen.

Step 1) Hacker get's TitleID

Step 2) Hacker monitors communication between client and server and gets Cloud Script handler functions.

Step 3) Hacker is able to use those handler functions because all he/she needs to invoke a handler function is the TitleID.

0 Likes 0 ·
Joshua Strunk avatar image Joshua Strunk glen commented ·

Yes anyone can call your Cloud Script in any way they want. It is up to developers to ensure they validate the information passed into Cloud Script. You can not blindly trust any information coming from the Client into Cloud Script.

0 Likes 0 ·
glen avatar image glen commented ·

Also, I'm pretty sure I could input another company's TitleID into the game I'm developing and it would create a new user in their title. And that's just a ctrl+v, what if I wanted to put a little more effort in? How far could I get? What damage could I do? I assume most or all of the client API's are available in this case.

Any chance we can get rid of the 600 character limit on these posts/comments?

0 Likes 0 ·
Joshua Strunk avatar image Joshua Strunk glen commented ·

Yes anyone with your TitleID could create users but these users really would not get very far and would not be able to break your game as long as you are validating everything in Cloud Script

0 Likes 0 ·
glen avatar image glen commented ·

I completely agree that we can't trust info from the client, and I believe all our Cloud Script functions abide by this. But, one of the core ideas behind hacker prevention is "barrier to entry". Make it difficult enough that most hackers will give up. Of course you can't prevent the persistent and talented hackers, but you can deter most others. When looking at PlayFab security the initial barrier is so low, it's too easy to get some kind of result. It feels similar to a "gateway drug". Instead of discouraging a hacker it seems encouraging. Maybe I'm paranoid, but safety is key.

0 Likes 0 ·
brendan avatar image brendan glen commented ·

It sounds like there may be a mixing of concepts, here. Security for the calls is managed via the use of unique, generated session tickets with expiration and SSL. Cheat prevention is managed by having server-side logic which prevents users from changing values to things they shouldn't be allowed to - we have data systems in place that allow you to manage secure data only from the server-side. Preventing people from signing into your title at all sounds more like your concern is around DRM - is that the case?

1 Like 1 ·
glen avatar image glen commented ·

No it's not DRM. The title we're developing is F2P. I think my concern stems from the TitleID and how it's integrated/used. Sure we could develop some kind of encryption system ourselves which holds the TitleID in an encrypted asset but that's another step we'd have to allocate resources too. When looking at other plugins we've used, something like the TitleID or appID is generally integrated using an asset or config file, (sometimes encrypted, sometimes not) and is longer than 4 characters making it less easier to guess or stumble upon. And would never be shared in forums like this.

0 Likes 0 ·
brendan avatar image brendan glen commented ·

Again, the Title ID is not intended to be secure in any way. That's by design. The Secret Key is something you should protect, as it provides the means to alter your title and players.

Obfuscation and encryption can help with the case of minimally-skilled hackers, but does not prevent cheating in titles - and for any popular title, the cheats will be distributed, making it so that those minimally skilled folks will be doing it as well. The best way to secure a title is on the server side - controlling what is allowed, checking for cheating patterns, etc.

1 Like 1 ·
Show more comments

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.