Security Of Flash Games

February 20, 2008

A number of websites allow users to play flash games online and then submit their score. After the competition end, the user with highest score wins a prize. A major problem which such websites face, is, how do they ensure user submits the correct score?

The scores submitted by user is mostly a HTTP POST request, which the user's browser makes to the web server. This request could easily by modified using a man-in-the-middle(proxy) tool and thus a bogus request could easily be submitted. This is a very common/popular hack for flash games. Unfortunately, there is nothing much a server could do to stop users from submitting bogus scores. A server could make it harder for users to submit bogus scores by encrypting/signing the score. It is to be noted that flash files could easily be decompiled and the hashing algorithm could be obtained and a determined attacker could still submit a bogus score (hashed).

A  very interesting discussion could be read here. I particularly liked these comments:-

"One idea I had would be for the game to keep telling the server it's current state, and the server could employ cheat detection algorithms to detect unlikely events happening in real time – and then stop the game from continuing"

"Comunication between client (flash) and server(php) is going throught XML PRC protocol. This xml rpc protocol is fully crypted. So Flash client send a crypted xml-rpc request, I decrypt it in PHP, and send encrypted response that Flash decrypt for its self. Of course HTTP comunication is transparent..but consist of binary 256bit crypted data. The point is it's gonna be very very difficult for someone to sniff comunication and to 'cheat' it."

If you know a solution to stop a user from submitting a bogus score, do let me know..

Comments

1 Comment

  • Amjad says:

    Hey this is really useful. I am also thinking about the same thing for my site. Do you happen to know how i can find good information about cheat detection algorithms.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback