Home
Blogs
Forums
News
Portfolios
Projects
Tutorials
21 users logged in
New? Learn about game development.
Before posting, review our community guidelines.
Support GameDev.net with a monthly GDNet+ subscription!
Follow Us
Chat in the GameDev.net Discord!
Back to For Beginners
Advertisement

Newbie using PlayFab

Started by February 17, 2023 08:58 PM
2 comments, last by Alberth 1 year, 10 months ago

Hi all

I'm a newbie to game development so this may seem blindingly obvious to you guys but I'm unclear about an issue:

I'm using Azure's PlayFab to create a leaderboard and one of the options is to check/uncheck an option in PlayFab:

“Allow client to post player statistics”

Apparently, this is not secure when the game is live. Can somebody please explain why as it seems to me that the only way to update statistics is through a script. Is that not so?

Thanks for any info.

In general there are clients that run on the end user's computer, and servers that run on computers you control. The servers are provided with a secret key so you know they're official executables running on your own deployed machines.

Servers that you control aren't easily compromised. If your servers are updating statistics it is because the game players did exactly what the statistics say they did. (Or because of a bug.)

Game clients can be modified, can be hacked, can be debugged, or in many other was manipulated to send data to PlayFab. Someone monitoring the connection can read the protocol (it's easy enough and uses published REST calls) which is enough to sign on, publish their own values, and post whatever they want. If clients can publish their own numbers, the moment an attacker realizes they can do it they'll set all the scores to INT_MAX or to whatever your game sets as a perfect store. You'll see impossibly high player statistics on anybody who wants them.

As you look more into PlayFab and to many other similar systems, you'll find there are client-specific calls and server-specific calls. Usually servers can read and write anything, but clients can only read a subset and only write a smaller subset.

Advertisement

To make it more concrete: How do you know I am playing your game?

You can observe my IP address and you can observe my network traffic. You cannot look at my screen, you cannot see what programs I am running.

So, as long as I perform the same kind of network traffic you cannot detect I am cheating. I can run any program I want, including a cracked version of the game or dedicated programs that I wrote that gives me more information than regular players, or sends fake actions back to the game server.

This topic is closed to new replies.

Advertisement

Popular Topics

pbivens67
poker game For Beginners
Calin
Nested switch statements General and Gameplay Programming
taby
Falloff Math and Physics
cozzie
Occluder from AABB, near plane 'fix'? Graphics and GPU Programming
steamdog
Game engine asset loading system. How to handle shaders? For Beginners
Sekt4nt
Shadow problem in directx11 Graphics and GPU Programming
Advertisement

Recommended Tutorials

gdarchive
John Carmack .plan Archive - 1997 Interviews
Myopic Rhino
Patterns FAQ General and Gameplay Programming
Myopic Rhino
Humble Hearts Interviews
gdarchive
10 Tips for a Better Cover Letter Career Development
Myopic Rhino
IGF 2010: Dejobaan Games Interviews

Reticulating splines

About GameDev.net
Community Guidelines
Terms of Service
Privacy Policy
Contact Us
Copyright (c) 1999-2024 GameDev.net, LLC
Back to Top