question

MR Ben hamouda seifeddine avatar image
MR Ben hamouda seifeddine asked

Serious Security problem!,Security serious problem!

Hello guys,

We have a Multiplayer game on Steam and we noticed that many accounts had been created without being linked to Steam in the last couple of days and essentially from Russia...

So we did some investigation and we found this link:

https://freetp.org/po-seti/5228-west-hunt-igra-po-seti-i-internetu-onlayn.html

We are now working on enhancing the security by verifying each account has to be linked to Steam.

and wiping those accounts every 10mins throw planned task scripts..

Howeverrr, while we were trying to simulate their attack we discovered that they have a tool called

"PlayfabTools" Bingo!

Check this out:

We didn't go further as the software seems like a Virus but with this tool, you are able to create an account in our game without passing from Steam.

I thought Playfab Technical Team should know about something like this.

Do you have any suggestions ?

Best Regards

,

Hello guys,

We have a Multiplayer game on Steam and we noticed that many accounts had been created without being linked to Steam in the last couple of days and essentially from Russia...

So we did some investigation and we found this link:

https://freetp.org/po-seti/5228-west-hunt-igra-po-seti-i-internetu-onlayn.html

We are now working on enhancing the security by verifying each account has to be linked to Steam.

and wiping those accounts every 10mins throw planned task scripts..

Howeverrr, while we were trying to simulate their attack we discovered that they have a tool called

"PlayfabTools" Bingo!

Check this out:

We didn't go further as the software seems like a Virus but with this tool, you are able to create an account in our game without passing from Steam.

I thought Playfab Technical Team should know about something like this.

Best Regards

unknown.png (42.2 KiB)
unknown.png (146.8 KiB)
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Rick Chen avatar image
Rick Chen answered

If you want players to only be able to register account with Steam in your title, you can deny all other login APIs and only allow LoginWithSteam API in your API policy. In this way, the attacker will not be able to create account with anonymous login methods. Please check this document for how to change your API policy: API Access Policy - PlayFab | Microsoft Docs.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.