A Flash Developer Resource Site

Results 1 to 16 of 16

Thread: Is SWF secure?

  1. #1
    Junior Member
    Join Date
    May 2001
    Posts
    14

    Thumbs up

    Hi everybody!

    I've created a game in Flash for a very public company. The game involves a high-scores list. Although a very high score in this game is something like 5,000 points, we already have users with the maximum allowed score - 65,535 (the database design won't allow more).

    This first happened at the beginning of the week because the game was sending the name/high score data with no encryption, using GET. We changed that so it now uses POST and uses a basic encryption method. We also deleted the 65535 entry. The problem is that three days later the entry reappeared...

    Now, my question is, is there any point in continuing to try encrypt the data? I found a bunch of SWF "unprotecters" and one "Action Script Viewer" which shows the scripts in SWF's - this suggests that I may use any encryption algorythm and I'll end up with a 65535 score in no time. Is that true? Or should I suppose my encryption was weak enough to be cracked so soon and I should continue trying to further encrypting the data? Or maybe there is some other way I could secure the data so this doesn't happen anymore? (using a third party plugin for Flash etc.)

    My main concern is that the people who play the game fair won't play it anymore, discouraged by these enormous high scores...

    Thanks a lot!

    Bogdan

  2. #2
    Senior Member
    Join Date
    Jul 2000
    Posts
    503
    yep. you can't really do much.

  3. #3
    Junior Member
    Join Date
    May 2001
    Posts
    14
    Hummmm.... Thanks! That's what I thought, but wanted a second opinion before I tell those guys I can't do anything about it...

    Thanks again!

    Bogdan

  4. #4
    Senior Member
    Join Date
    Mar 2000
    Posts
    289
    ScoreKeeper has several score-falsification protections... While nothing is fool-proof, you might get some ideas on what is possible.

    http://www.k2w.f2s.com/software/

    Kory

  5. #5
    Registered User
    Join Date
    Feb 2001
    Posts
    13,041
    Hi Gutza,

    how would one go and try to send wrong data: they could look at actual communication between browser and server (ok, it is encrypted now)
    They could try to look at actionscript and make a new movie that just duplicates the submit results part of your game (I dont know whether AS viewers are already good enough so you can paste the AS into a new movie)
    They could even make a small movie of their own that loads yours, sets the score variable, and tells it to go to the submit scene
    I'd doubt that somebody would really try to understand the actionscript that is there - in particular if you are using a somewhat complex encryptor. So you could try to have some parts of global data in the submit scene altered by playing the game; and - if there are wrong values, the movie should still submit, but the server should recognize and ignore. This kind of approach will force the attacker to spend much time trying to understand how everything works...

    Musicman

  6. #6
    Junior Member
    Join Date
    May 2001
    Posts
    14
    Originally posted by Musicman
    Hi Gutza,
    So you could try to have some parts of global data in the submit scene altered by playing the game; and - if there are wrong values, the movie should still submit, but the server should recognize and ignore. This kind of approach will force the attacker to spend much time trying to understand how everything works...

    Musicman
    That's exactly how it's currently done - there is a checksum of the data to be sent and obviously the data (high score) is changed by the game. Still, this didn't do much good...

  7. #7
    Junior Member
    Join Date
    May 2001
    Posts
    14
    Originally posted by kaptainkory
    ScoreKeeper has several score-falsification protections... While nothing is fool-proof, you might get some ideas on what is possible.
    Kory
    Thanks, Kory! I'll look into that - hope it helps - anyway I didn't know about these guys, so at least it's a new thing to try...

  8. #8
    Junior Member
    Join Date
    May 2001
    Posts
    14
    Originally posted by Gutza
    anyway I didn't know about these guys
    Seems like "these" guys is inappropriate, huh? Okay, I didn't know about you guys...

  9. #9
    Junior Member
    Join Date
    May 2001
    Posts
    14
    Originally posted by kaptainkory
    ScoreKeeper has several score-falsification protections... While nothing is fool-proof, you might get some ideas on what is possible.

    Kory
    Thanks, Kori! Checked out ScoreKeeper - unfortunately you use a less complicated "encryption" than my attempt... The other protections have also crossed my mind, but if those guys can see the ActionScript in the SWF and they're determined to hack their way in the high scores list, they will easily do that (session id etc)...

    Thanks for the info, anyway - at least I saw a different approach!

    Bogdan

  10. #10
    Registered User
    Join Date
    Feb 2001
    Posts
    13,041
    Hi Gutza,

    assuming your encryption system uses a table of constants, I thought about some ordinary moves in the game placing correct data into the table. (Mimicking a buggy program where globals interfere). This will probably be as hard to figure, as it is sometimes hard to locate an actual bug.

    Musicman

  11. #11
    Junior Member
    Join Date
    May 2001
    Posts
    14
    Originally posted by Musicman
    Hi Gutza,
    Mimicking a buggy program where globals interfere
    That's a very good idea - it never crossed my mind. The problem is that I have a LOT of variables I wouldn't want to waste my time sending, so I use loadVariables on a symbol instead of loadVariablesNum on _root. This ensures I only send an encrypted string instead of a lot of useless variables.

    Still, it's a good idea and I might consider redesigning the whole thing in order to use it.

    Thanks for the interest!

    Bogdan

  12. #12
    Senior Member
    Join Date
    Mar 2000
    Posts
    289
    Thanks, Kory! Checked out ScoreKeeper - unfortunately you use a less complicated "encryption" than my attempt...
    Short of using a secure server, the techniques in ScoreKeeper allows you to use some of the "tried-and-true" methods of security for the web: session ids, HTTP_REFERER, cookies. Some of these can be a real hassle for a hacker to emulate, whereas Flash developers must always consider ActionScript to be transparent. No matter how complicated the ActionScript, since it can be seen...it can be broken. The way session ids are used for ScoreKeeper, makes it fairly difficult for hackers to figure out because there is still some "mystery" on the server-side. On the other hand, since ScoreKeeper is open-source...someone is more likely to see how it's done and crack it. But adding in your own little tricks here and there would be really easy.

    For instance, if you know the highest possible score for a game...write the script to accept nothing larger. But, here's a trick...record the IP/HOST for those who submit larger scores and block them from posting if they submit something larger.

    But okay...let's face it. There is ultimately a limit to what can be done. You can't really ask if data is secure or not...but you can ask, "HOW secure is the data?" Along with the good side of sharing information, comes the bad side.

    Kory

  13. #13
    Registered User
    Join Date
    Feb 2001
    Posts
    13,041
    Hi Gutza,

    I was not even thinking about sending all the game's variables. Let me elaborate the previous idea:
    say you want to send
    u=<user name>&e=<email>&s=<score>&si=<score inverted>
    put another copy of user at the end of the string and a chksum
    u=<user name>&e=<email>&s=<score>&si=<score inverted>&u=<user name>&c=<chksum>
    Now "encrypt" this stuff by xor with a given key
    Code:
    res = '';
    key = "this is the hidden key";
    for(i = 0 ; i < data.length ; i++)
    res += chr(ord(data) ^ ord(key[i%key.length]));
    (I am not sure whether function names are correct - too many languages and similar algorithm)

    Now, actual trickery which will make it hard for cracker: after 5 moves in game, key is replaced by "this is much better key" from a section of actionscript that is located in the game, not in the sending. From the way the message is built up (user duplicated, score and math function of it, chksum) you can be sure that server can determine wrong encryption key. Now just say "thanks, your high score has been received. Due to spoofing attempts, scores above 7500 are published only twice a day after supervisor has checked them; so please be patient to see your result" and you have made life much harder for bad guys (unless they read this thread)

    Musicman

    Sorry, text messed up by vb codes: data should be indexed by i in same way as key is indexed by i modulo key length.
    Also, there are definitely better ciphers, but the idea will remain the same.
    [Edited by Musicman on 05-14-2001 at 09:54 PM]

  14. #14
    Junior Member
    Join Date
    May 2001
    Posts
    14
    Originally posted by Musicman
    Hi Gutza,

    after 5 moves in game, key is replaced by "this is much better key" from a section of actionscript that is located in the game, not in the sending. [...] Due to spoofing attempts, scores above 7500 are published only twice a day after supervisor has checked them; so please be patient to see your result" and you have made life much harder for bad guys (unless they read this thread)

    Musicman
    Thanks a lot! It's a great idea - I'll implement it today along with some suggestions from Kory.

    Thanks, guys! I'll keep you posted (guess you're curious what's gonna happen)

    Bogdan

  15. #15
    Junior Member
    Join Date
    May 2001
    Posts
    14
    Since the last discussion I implemented several of your ideas. One more time, thank you for those. So now we have a lot of extra protection - BTW, we also have a logging mechanism for unsuccessful hacks.

    Unfortunately, trying to use HTTP_REFERER was a big failure - it seems that IE doesn't report it correctly - is that true? Netscape did do the right job, but upon testing it with IE it simply returned _nothing_... Fortunately REQUEST_URI worked ok with both browsers and since it's relative that's enough for our needs.

    So now not only that we don't have any more hacks, but we don't have any more attempts either! That's strange!

    So the bottom line is that it worked just fine.

    Thanks!

    Bogdan

  16. #16
    Senior Member
    Join Date
    Mar 2000
    Posts
    289
    It is correct that the flash plugin for IE does NOT set HTTP_REFERER. The workaround (as explained in the ScoreKeeper documentation) is to use an HTML pop-up window for the score board. I also recently found out that some versions of IE for MAC do not correctly send POST requests.

    Anyhow, good luck with your efforts.

    Kory

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center