Hello all, I require some urgent help... i recently saw a spike in my billing of over $500 in less than a day.
Checking the data, it seems as an attacker is abusing get files and upload files..
I've since limited user files to 0 and banned the IP..
It also seems the person is spam creating accounts too from different IPs.
I've attempted to disable those api methods using PlayFabAdminAPI.UpdatePolicy:
private void UpdateApiPolicy() { PlayFabAdminAPI.UpdatePolicy(new UpdatePolicyRequest() { PolicyVersion = version, PolicyName = "ApiPolicy", OverwritePolicy = false, // Append to existing policy. Set to True, to overwrite. Statements = new List<PermissionStatement>() { new PermissionStatement() { Action = "*", // Statement effects Execute action ApiConditions = new ApiCondition() { HasSignatureOrEncryption = Conditionals.False // Require no RSA encrypted payload or signed headers }, Comment = "Do not allow get files", Resource = "pfrn:api--/Client/GetFiles", // Resource name Effect = EffectType.Deny, // Do not allow, Principal = "*" } } }, result => { FetchApiPolicy(); }, error => Debug.LogError(error.GenerateErrorReport())); }
It seems to execute properly and return the policy that I set, however, when i run
PlayFabDataAPI.GetFiles
It still seems to work.. id assume it should return an error?