Advertisement

Newbie using PlayFab

Started by February 17, 2023 08:58 PM
2 comments, last by Alberth 1 year, 10 months ago

Hi all

I'm a newbie to game development so this may seem blindingly obvious to you guys but I'm unclear about an issue:

I'm using Azure's PlayFab to create a leaderboard and one of the options is to check/uncheck an option in PlayFab:

“Allow client to post player statistics”

Apparently, this is not secure when the game is live. Can somebody please explain why as it seems to me that the only way to update statistics is through a script. Is that not so?

Thanks for any info.

In general there are clients that run on the end user's computer, and servers that run on computers you control. The servers are provided with a secret key so you know they're official executables running on your own deployed machines.

Servers that you control aren't easily compromised. If your servers are updating statistics it is because the game players did exactly what the statistics say they did. (Or because of a bug.)

Game clients can be modified, can be hacked, can be debugged, or in many other was manipulated to send data to PlayFab. Someone monitoring the connection can read the protocol (it's easy enough and uses published REST calls) which is enough to sign on, publish their own values, and post whatever they want. If clients can publish their own numbers, the moment an attacker realizes they can do it they'll set all the scores to INT_MAX or to whatever your game sets as a perfect store. You'll see impossibly high player statistics on anybody who wants them.

As you look more into PlayFab and to many other similar systems, you'll find there are client-specific calls and server-specific calls. Usually servers can read and write anything, but clients can only read a subset and only write a smaller subset.

Advertisement

To make it more concrete: How do you know I am playing your game?

You can observe my IP address and you can observe my network traffic. You cannot look at my screen, you cannot see what programs I am running.

So, as long as I perform the same kind of network traffic you cannot detect I am cheating. I can run any program I want, including a cracked version of the game or dedicated programs that I wrote that gives me more information than regular players, or sends fake actions back to the game server.

This topic is closed to new replies.

Advertisement