question

Sam avatar image
Sam asked

How to stop hackers adding accounts to your game?

Presumably if someone knows your games ID they can freely add accounts with using Javascript? How could you stop this?

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

If you've come up with a way to effectively determine which calls are coming from hackers and which aren't, you're about to be a very rich man, Sam. :)

For a player to be able to create an account and sign into your game from your target platform, that client executable has to have everything needed to do so. In our case, that's the endpoint URLs for your title, and the actual queries and the data format for them. So by shipping a title, you're effectively putting everything needed to make calls to your title out in the world.

Consoles combat this by having dedicated hardware - something that you can't get with more general-purpose compute devices, like PCs and mobiles. But even they fall victim to hacks that allow players to run compromised code - they just have more ability to combat it, by the nature of the platform.

7 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sam avatar image Sam commented ·

Javascript, being client side, has all the information that is being sent freely accessible. All you need to do is "view page source" and then take that information and make your own html page doing the same thing but with false information.

If the same process was done with PHP is would be considerably more difficult for people to gain that information as everything would be done server side. Or am I missing something?

0 Likes 0 ·
Montana Tuska avatar image Montana Tuska Sam commented ·

I would agree with you here Sam. Moving registration atleast, to PHP could help combat some problems. You could just use an AJAX if you still want to get the response back inside JavaScript.

1 Like 1 ·
brendan avatar image brendan Sam commented ·

The best protection you could have would be to have all the logic that communicates with PlayFab on the server side and only expose the interface to players via a front-end (that in turn communicates with another component on the hosting server). Apart from that, while it might make it more difficult, it's still going to be discover-able, unfortunately.

0 Likes 0 ·
Sam avatar image Sam brendan commented ·

It'd be significantly difficult enough to prohibit a good number of hackers, I would of thought.

By your logic, there's no point installing an anti-virus because some viruses will still get through.

0 Likes 0 ·
Show more comments
Sam avatar image Sam commented ·

If you added email verification to the PlayFab player accounts that would solve a lot of the issues.

I'm basically trying to find a way to stop someone who has found the GameID from just making hundreds of accounts with popular names...

My existing system won't allow for account creation without first verifying your email, which will stop a lot the problems, I think. Sadly, no such option on PlayFab.

0 Likes 0 ·
brendan avatar image brendan Sam commented ·

Yes, email verification for player is something we'll be adding in an upcoming sprint. We've had a few requests for it, so we'll be working it into the schedule.

1 Like 1 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.