PlayFab is not safe

Question

question

hulosowanie7 asked Sep 3, '22

PlayFab is not safe

Hey guys.

I really need a help, someone was able to set their currency using external software.

I was looking for this software and I found, his name is: Burp Suite

By this software I am able to add currency on Client and Server by myself.

Please how can I add some authentication?

I thought that this issue is caused because I was using PlayFab.Client.AddCurrency but I changed it into PlayFab.Server.AddCurrency and I am also able too add currency by myself...

Please help it is really huge issue!

I am able to add by myself on every PlayFab game some currencies/items etc

apis

zrzut-ekranu-2022-09-3-o-144507.png (63.7 KiB)

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2022-09-05T01:37:55Z

Ruben Pascual Blanco answered Sep 5, '22

you have to dissable client ability to add and substract currency under Tittle settings>API features

4

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

hulosowanie7 commented · Sep 05, 2022 at 09:54 AM

bro, even If i disable client API and make these functions using Server API - I am still able to Repeat this CALL and do it unlimited times, it doesn't matter is it Client API or Server API

0 ·

Ruben Pascual Blanco hulosowanie7 commented · Sep 13, 2022 at 10:56 PM

In our case the client of the game doesn't include the server api at all, only official dedicated servers have it enabled. It's a basic safety tip, as server api not only can modify currency but all kinds of data in inventory and stats. Also to be able to use Server API, an user must have the secret key, which you should never ship with the client, so it's impossible to create a hack that uses Server API if you never share said secret key.

If someone got a hold of any of your secret keys, just drop it and generate a new one.

1 ·

HitRock Games hulosowanie7 commented · Sep 05, 2022 at 10:19 AM

In CloudScript you can check the timestamp and set a limit. Store the timestamp and number of attempts in the player's internal data.

0 ·

hulosowanie7 HitRock Games commented · Sep 05, 2022 at 10:20 AM

Yeah I am making now something like "code authentication" and if this code equals request then Player is able to call function via CloudScript

0 ·

Answer 2 · 2022-09-03T19:07:24Z

medanogames answered Sep 3, '22

Use a cloudscript.

3

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

hulosowanie7 commented · Sep 03, 2022 at 08:38 PM

It nothing change, I can also CloudScript function via this software. Is there any authentication?...

0 ·

medanogames hulosowanie7 commented · Sep 04, 2022 at 04:27 PM

Cloudscript will only return you data if you pass nothing trough it (meaning nothing you send is of any use to the hacker). Make a cloud script that gives you 500 ST (your currency) hardcoded. Try calling it and it should be semi-safe. Now to make it fully safe you'll need some sort of check if the player did something to get that currency. If you happen to get a request for currency but the player did nothing to earn it then BAN THEM.

0 ·

hulosowanie7 medanogames commented · Sep 04, 2022 at 05:02 PM

This is not how PlayFab should works. It is not safe too because it doesn't matter is it hardcoded or not. I can call each function (so each "if" in game doesn't matter me).

PlayFab is not safe. Please make PlayFab safe because it is 100% hackable!!!

-1 ·

Answer 3 · 2022-09-04T19:08:34Z

hulosowanie7 answered Sep 4, '22

It looks like I found the solution. I have to call each functions through CloudScript and add there some "if" and it is safe

1

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

medanogames commented · Sep 04, 2022 at 08:24 PM

Glad I could help ^^

1 ·

question