Presumably if someone knows your games ID they can freely add accounts with using Javascript? How could you stop this?
Presumably if someone knows your games ID they can freely add accounts with using Javascript? How could you stop this?
If you've come up with a way to effectively determine which calls are coming from hackers and which aren't, you're about to be a very rich man, Sam. :)
For a player to be able to create an account and sign into your game from your target platform, that client executable has to have everything needed to do so. In our case, that's the endpoint URLs for your title, and the actual queries and the data format for them. So by shipping a title, you're effectively putting everything needed to make calls to your title out in the world.
Consoles combat this by having dedicated hardware - something that you can't get with more general-purpose compute devices, like PCs and mobiles. But even they fall victim to hacks that allow players to run compromised code - they just have more ability to combat it, by the nature of the platform.
Javascript, being client side, has all the information that is being sent freely accessible. All you need to do is "view page source" and then take that information and make your own html page doing the same thing but with false information.
If the same process was done with PHP is would be considerably more difficult for people to gain that information as everything would be done server side. Or am I missing something?
I would agree with you here Sam. Moving registration atleast, to PHP could help combat some problems. You could just use an AJAX if you still want to get the response back inside JavaScript.
The best protection you could have would be to have all the logic that communicates with PlayFab on the server side and only expose the interface to players via a front-end (that in turn communicates with another component on the hosting server). Apart from that, while it might make it more difficult, it's still going to be discover-able, unfortunately.
It'd be significantly difficult enough to prohibit a good number of hackers, I would of thought.
By your logic, there's no point installing an anti-virus because some viruses will still get through.
If you added email verification to the PlayFab player accounts that would solve a lot of the issues.
I'm basically trying to find a way to stop someone who has found the GameID from just making hundreds of accounts with popular names...
My existing system won't allow for account creation without first verifying your email, which will stop a lot the problems, I think. Sadly, no such option on PlayFab.
3 People are following this question.