Forum QuickConnect Quick connect and security concers

Discussion and help relating to PlayerIO's QuickConnect feature, including Facebook Connect and Kongregate Connect.

Quick connect and security concers

Postby sebas77 » July 1st, 2013, 3:31 pm

Hi,

I am still quite new to security issues regarding online games, but I just want to ask more details about QC.

Our current version of the game uses SimpleRegister and SimpleConnect for in-game registration and login. I just wonder if you have a sort of authentication token system that auto refresh itself periodically. In other words, is it somehow possible to to send request from not authorized clients if the user login/password is not known?
sebas77
Paid Member
 
Posts: 137
Joined: June 25th, 2013, 12:09 pm

Re: Quick connect and security concers

Postby Henrik » July 1st, 2013, 8:25 pm

sebas77 wrote:In other words, is it somehow possible to to send request from not authorized clients if the user login/password is not known?

No, this is not possible.
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Quick connect and security concers

Postby HermitCrab » July 16th, 2013, 6:38 pm

How about if the username and password ARE known? I can see two scenarios in which the situation could be encountered:

1) Client is stolen, and reverse engineered to disable any sitelocking (trivial with a Flash client, for instance) and posted on the thief's site so players will register and play through their site and can be served ads for profit.

2) Client is reverse-engineered and modified to disable sitelock and take full advantage of any information the server is kind enough to leak (such as positions of all units in a RTS, positions of opponents in a FPS, etc...) to build cheating functionality into the modified client.

So the question becomes: is it possible to know the location of the client? If the client is supposed to be located on Facebook, Kongregate, or on the dev site and its actual location can be verified, that's pretty much the only piece of info that gives any hope that the client connecting is actually legit.
HermitCrab
 
Posts: 3
Joined: July 16th, 2013, 6:29 pm

Re: Quick connect and security concers

Postby Henrik » July 16th, 2013, 11:14 pm

Any client can be reverse-engineered, and all network traffic can be sniffed and spoofed, so always assume that each client is completely compromised and design your serverside game logic accordingly. Always verify the input from the client so that it is sane and reasonable, and if there's any information that you don't want a player to have, don't send it over the network to that player, otherwise he'll have it, even if your client chooses not to display it.
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Quick connect and security concers

Postby HermitCrab » July 17th, 2013, 7:54 am

Henrik wrote:all network traffic can be sniffed and spoofed


Well, yes and no. I mean, I agree with everything else you said, but it's also all pretty generic advice that's already in the various tutorials. I was hoping for more.

Let's say I want players to use my client, on my site, not something they cobbled together on their own, or some other client that's hosted who knows where. I should have control over that on the server side of things. After all, traffic has to be sent to the client's IP address, they can't spoof *that*, or they'll never receive a single packet. Am I not totally wrong so far?

So how can I check that? If a player is connecting using quickConnect, does the request come from their IP or from the client host (Kongregate, Facebook, my site, whatever)? If it's the former then yes, every connection from every client should be considered with utmost suspicion. If it's the latter then it's theoretically possible to filter connection requests on the server side and only consider those requests that come from a few trusted sources. Then as long as those sites aren't compromised the client can be considered valid. Basically it comes down to whether it is possible to determine where the client came from without asking the client itself, do you have advice on that?
HermitCrab
 
Posts: 3
Joined: July 16th, 2013, 6:29 pm

Re: Quick connect and security concers

Postby Henrik » July 18th, 2013, 7:11 pm

HermitCrab wrote:Let's say I want players to use my client, on my site, not something they cobbled together on their own, or some other client that's hosted who knows where. I should have control over that on the server side of things. After all, traffic has to be sent to the client's IP address, they can't spoof *that*, or they'll never receive a single packet. Am I not totally wrong so far?

But the client runs on the user's computer. It doesn't run on your site, you've just put it there for them to download. And since it runs on the user's computer, they can do whatever they want with it. Reverse-engineer it, run it in a virtual machine, insert whatever networking tools they want between it and the servers, etc. There's absolutely no way of knowing whether the thing that connects to the game servers is your genuine client, or some other beast that pretends to be. And this is why you need to design your server-side code with that in mind.

When you use QuickConnect, users can only play your game as themselves, and by default they'll only have access to their PayVault and their BigDB objects, and when they connect to the multiplayer server, they'll have a known connectUserId, there's no way to spoof another user's identity (without knowing their Kongregate password or Facebook password, of course, but you can't protect against that)
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Quick connect and security concers

Postby HermitCrab » July 20th, 2013, 12:42 pm

Exactly, which is why I was asking "whether it is possible to determine where the client came from without asking the client itself", specifically through the third party authentications (Kongregate and Facebook) and quickconnect. From your answer I infer that no, it's not possible, because all quickconnect does in that case is make sure that the external site recognizes the authentication token as valid, but it does not act as an intermediary between the server and the client.

So basically I have no guarantee that a quickconnect through Facebook is a quickconnect FROM Facebook. It could be a cooked up client that simply provides the proper auth token. Well, thanks for the clarifications.
HermitCrab
 
Posts: 3
Joined: July 16th, 2013, 6:29 pm

Re: Quick connect and security concers

Postby Henrik » July 22nd, 2013, 9:00 pm

HermitCrab wrote:So basically I have no guarantee that a quickconnect through Facebook is a quickconnect FROM Facebook. It could be a cooked up client that simply provides the proper auth token. Well, thanks for the clarifications.

Yes, exactly. Which is why we repeat, over and over again, that you should always assume the client is compromised because you can never know if it is or not. and design your server-side code accordingly. :-)
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm


Return to QuickConnect