Forum QuickConnect Security concerns

Discussion and help relating to PlayerIO's QuickConnect feature, including Facebook Connect and Kongregate Connect.

Security concerns

Postby glitchyg » September 13th, 2013, 7:48 am

I have ran into what appears to be a large security issue with QuickConnect and was wondering if this was a known issue or if there is some work around.

So lets say i created a user named "bob" with password "123" using the quick register method. That is all fine i can't login to bob without knowing his password using the quickconnect method.

But, if i use the connect method i can simply say the user is "simplebob" provide no password and i am given access to that account.

Right now i am using connect and just rolling my own validation with the server.That also means i will have to wrap simple commands, such as debit into the server as well because the server doesn't know what method the user connected by.
glitchyg
 
Posts: 1
Joined: September 13th, 2013, 7:40 am

Re: Security concerns

Postby SmallJoker » September 13th, 2013, 12:43 pm

set shared secret (checkbox "Require Authentication" in connection settings") to somthing random and it's solved.
Simpliest way but I would like to know "another"/"better" way too...
SmallJoker
 
Posts: 50
Joined: March 28th, 2012, 12:22 pm

Re: Security concerns

Postby Benjaminsen » September 13th, 2013, 4:54 pm

glitchyg wrote:I have ran into what appears to be a large security issue with QuickConnect and was wondering if this was a known issue or if there is some work around.

So lets say i created a user named "bob" with password "123" using the quick register method. That is all fine i can't login to bob without knowing his password using the quickconnect method.

But, if i use the connect method i can simply say the user is "simplebob" provide no password and i am given access to that account.

Right now i am using connect and just rolling my own validation with the server.That also means i will have to wrap simple commands, such as debit into the server as well because the server doesn't know what method the user connected by.


As SmallJoker comments below, this is why we implement the shared secret authentication system for .Connect. For more information read the Authenticated Connections section under http://playerio.com/documentation/connections
Benjaminsen
.IO
 
Posts: 1444
Joined: January 12th, 2010, 11:54 am
Location: Denmark


Return to QuickConnect