Scoreboard too easy to hack

In-game bugs and crashes - They will appear! Post them here for swift destruction!

Scoreboard too easy to hack

Postby Zarat » Sun Aug 22, 2010 11:14 am

If not improved this will end like your average flash game scoreboard, being flooded by hacked entries. A few people just submit whatever score they feel like, messing it up for everyone else.

If you care about the scoreboard you have to figure out something to better validate the score sent from the client. The current mechanism is broken in 5 minutes. (The single Cheater entry in easy scoreboard was by me, sorry, but we are in beta so I had to test if it was as easy as it looked. I won't do more.) Remember everything that is in the game client can be read, obfuscation helps a bit but not much. Ultimately there is no protection, because with global scores you only need a single person to break the protection to mess it up for everyone else :cry:

A simple workaround would be to use accounts for the scoreboards. This way people who submit hacked entries can get removed and banned. This requires that you store more than just the Top 10 scores because once an entry is removed the older entries need to fill it up. If you don't want to actively monitor the scoreboard you could allow each player to decide themselves whose entries they want to filter out.

Another workaround with less work for you is to use time-based scoreboards, so hacked entries will become less relevant the older they are. Of course as long as a single hacker is interested in the board he can keep messing it up daily.

Well this were just ideas. I don't know how much you care about the scoreboard, but a good one needs some love and work to protect it from hackers. I added some more ideas here


PS: Also the server holding the scoreboard data is not protected, you didn't even disable directory listing. I was able to browse to the page with the crash reports people submitted. (Not that I could use them for anything, but still!) On the score server you should disable directory listing and any other service you don't need. Also pages not used by the client (like the viewing of crash reports) should require authentication, so only you and your staff can use them. If you move them to a subdirectory you can protect them by a simple .htaccess file.
Zarat
 
Posts: 8
Joined: Sat Aug 21, 2010 5:23 pm

Re: Scoreboard too easy to hack

Postby T-Dawg » Sun Aug 22, 2010 12:12 pm

Certainly some useful feedback here! I assume you used a tool such as ArtMoney to improve your score, and then submitting it?

The highscore system as is now is sort of ad-hoc to make the beta interesting, and will probably be changed quite a bit before release. Your ideas about the high score tables are good! I like the idea of "last week" and "last month" for scores. On Steam we'll try to have a separate scoreboard, which simply submits their steam username.

I'll disable directory listing when I get the chance! Thanks for the input :)
T-Dawg
Site Admin
 
Posts: 16
Joined: Wed Jul 07, 2010 11:37 pm

Re: Scoreboard too easy to hack

Postby HampOOs » Sun Aug 22, 2010 11:46 pm

There could be no honor in sure success, but much might be wrested from a sure defeat.
HampOOs
 
Posts: 1
Joined: Fri Aug 20, 2010 2:07 am


Return to Bug Reports

Who is online

Users browsing this forum: No registered users and 1 guest

cron