Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Bug Painfully easy to post fake scores

Discussion in 'Leaderboards' started by wayfarergames, Apr 30, 2023.

  1. wayfarergames

    wayfarergames

    Joined:
    Sep 7, 2013
    Posts:
    26
    I'm posting this as a bug because I view it as an absolutely critical feature of a leaderboard. This is why I moved away from Dreamlo - fake scores on leaderboards are a massive problem that is really difficult to solve, but there are a few basic things you can do to make it prohibitavely difficult. You can't just send the scores as plain json, with all your authorization out there in the request for everyone to see! It's genuinely insane to me that nobody at Unity stopped to think "hey what if we checked out the web request as it's being sent, I wonder if it's possible to just copy the information there and post a valid score"...

    As a bare minimum you should hash the sent json with a secret key before sending. Check out Dino's "exploit avoid" leaderboard service, it's the only leaderboard I'd even consider at the minute. https://github.com/Dino0040/Leaderboards/tree/v1.0.3

    I will say, though, everything else about it is a dream to use. I love the authentication flow, I love the names it generates, I love how easy it is to pick up and get started with. I like the backend, though clearing individual scores would be a nice addition. Being able to schedule leaderboard resets is a great feature, too. It's not all bad, I just... I can't justify using this service when all you need to do to post a fake score is snoop the web request.
     
  2. domonyiv

    domonyiv

    Joined:
    Oct 1, 2016
    Posts:
    75
    I haven't tried it yet, but no point to integrate the leaderboard if posting fake scores are this easy.
     
    wayfarergames likes this.
  3. wayfarergames

    wayfarergames

    Joined:
    Sep 7, 2013
    Posts:
    26
    The request URL contains the unity project id and the player's id, the headers have an authorisation header which you can just copy and paste, and the request body is just plain json: { "score" : 100 }
     
    rbitard likes this.
  4. IainUnity3D

    IainUnity3D

    Unity Technologies

    Joined:
    Oct 5, 2022
    Posts:
    36
    Hi there!

    Thanks for the feedback.

    If you would like to prevent clients from submitting their own scores directly, you can use Access Controls to prevent client access and instead use a Cloud Code function to implement a server authoritative flow to handle calculating / submitting scores to Leaderboards.

    You could also chose to obfuscate score submission this way, but to what extent obfuscation is worth it – and to what extent it's possible to leverage a server authoritative flow – will depend on the the game.

    We don't have a tutorial for how to implement a server authoritative flow yet, but that and other approaches and guidance to help with cheat prevention are things we are exploring.
     
  5. wayfarergames

    wayfarergames

    Joined:
    Sep 7, 2013
    Posts:
    26
    I don't think it's reasonable for ANY game to have a leaderboard that can be posted to from anywhere just by snooping the request. It should be pretty simple on your end to hash the JSON with a secret key and extract it server side, and like I said - it is the bare minimum for any leaderboard to be worth considering in a releasable game. At least that requires decompiling the game, which is an incredibly prohibitive action. Anyone can just open their browser web tools and check outbound requests.
     
  6. wayfarergames

    wayfarergames

    Joined:
    Sep 7, 2013
    Posts:
    26
    I take it this in now just filed under "won't address"? That's disappointing
     
    rollingcrow and qer24 like this.
  7. IainUnity3D

    IainUnity3D

    Unity Technologies

    Joined:
    Oct 5, 2022
    Posts:
    36
    To clarify, currently Leaderboards can be used with the following approaches:

    * Client Authoritative (client read+write)
    * Server Authoritative (server read+write) - i.e. using a Game Server or Cloud Code (serverless)
    * Hybrid (server write, client read)

    The different flows can be enforced using Access Controls to deny write access from clients and provide a way to prevent cheating that goes beyond relying on obscurity (with the degree of effectiveness depending on the mechanics).

    Leaderboards doesn't currently have a built in mechanism for obscuring the body (beyond the requests being encrypted) although if that's something you want to do today it's possible with a Server Authoritative flow using Cloud Code.
     
  8. wayfarergames

    wayfarergames

    Joined:
    Sep 7, 2013
    Posts:
    26
    Yeah my specific complaint is that this is something that's incredibly easy to do on your end and would require disassembly of the binary to post a fake score. There is zero reason not to do it, unless your intention is that everyone does it through a Server Authoritative flow. If that is the case, this leaderboard system is still basically unusable for the average user because it becomes prohibitavely complex to implement. The attraction is that it's really simple to get up and running!
     
  9. wayfarergames

    wayfarergames

    Joined:
    Sep 7, 2013
    Posts:
    26
    As it stands, I actively tell people not to use this leaderboard system despite the other great features. It's the same with Dreamlo, a leaderboard that doesn't have this simple feature is worthless. Legitimately should not ever be used in any serious game or app. If you can post a fake score with the information you get from inspecting the outgoing request, you will have fake scores posted. I know security by obfuscation isn't watertight, but this one simple step makes it prohibitavely difficult. I've got two games with over 1,000 entries on leaderboards - one uses Unity's leaderboards, and about 10% of the posted scores are fake, one uses ExploitAvoid (linked in the original post) and there are zero fake scores.
     
    Last edited: Aug 10, 2023
  10. UnityManuJack

    UnityManuJack

    Unity Technologies

    Joined:
    May 30, 2019
    Posts:
    11
    Dear Unity Community,

    Thank you for bringing this important topic. We take this issue seriously and will do the necessary to ensure that there is default security provided with a client authoritative approach when using UGS Leaderboards.

    This is true only for webgl game made with unity. For mobile, PC and consoles, https offer enough security and makes it not possible to repeat a webrequest successfully.

    Even with a salt hash request validation mechanism, a game backend should never trust client request for critical game action as it is always possible to reverse engineer the API and simulate a valid request to the game server.
    Hence why a server authoritative approach is strongly recommended, it ensures that the game's rules and mechanics are consistently applied to all players and significantly reduces the risk of cheating or exploitation.

    We understand that achieving server authority is no simple feat. This is why we aim is to democratize server authority, simplifying the workflow and enabling developers to integrate it seamlessly into their projects without unnecessary hurdles.

    Your feedback and suggestions play a crucial role in shaping the direction we take, and we genuinely appreciate your input. As we continue to work on these enhancements, we'll keep the community updated on our progress and any developments we make.
     
    IainUnity3D, domonyiv and MousePods like this.
  11. ZanthousDevelopment

    ZanthousDevelopment

    Joined:
    Jul 12, 2023
    Posts:
    12
    I feel like all I should have to do is check a checkbox to prevent writes to leaderboards but this whole access control process requires me to do a ton of random stuff I don't care about. Also not happy with how easy scores are fakeable
     
  12. ZanthousDevelopment

    ZanthousDevelopment

    Joined:
    Jul 12, 2023
    Posts:
    12
    Also how am I even meant to use access control to limit players from accessing writing to leaderboards but still allow cloud code to write to them? I added a rule to prevent "Player" and now I can't even test the script because I get a 403 in the dashboard. It says "Player" is the only value available for Principal right now. Where else am I meant to restrict this sort of thing?

    I later tried a urn like "Resource": "urn:ugs:leaderboards:/v1/projects/<my project id>/leaderboards" etc and that doesn't 403 anymore from cloud code so I guess that's what you are meant to do. However I also removed this policy later on for testing and even though the policy doesn't exist anymore, non-cloud code score adds give a 403 still. Also it seems calling cloud code from webgl just throws an error so all this was basically for nothing anyway


    Not implemented: Class::FromIl2CppType
    MethodAccessException: Attempt to access method 'Unity.Services.CloudCode.ICloudCodeService.CallEndpointAsync' on type '' failed.
     
    Last edited: Oct 24, 2023
  13. francoisjjunity

    francoisjjunity

    Unity Technologies

    Joined:
    Nov 23, 2020
    Posts:
    40
    Hi ZanthousDevelopment,

    When you create an Access Control policy to limit player access to leaderboards, and want to submit a score via Cloud Code, then you need to use the ServiceToken when calling the leaderboards APIs. Here is documentation in how to use the ServiceToken for javascript - https://docs.unity.com/ugs/en-us/manual/cloud-code/manual/scripts/how-to-guides/token-support and for c# https://docs.unity.com/ugs/en-us/ma...-support#Use_tokens_with_Cloud_Code_C#_SDKs_1.

    I will let the team know about the error you are experiencing when calling cloud code from webgl.

    Hope that helps!
     
  14. ZanthousDevelopment

    ZanthousDevelopment

    Joined:
    Jul 12, 2023
    Posts:
    12
  15. Tarodev

    Tarodev

    Joined:
    Jul 30, 2015
    Posts:
    190
    I'm finding this discussion frustrating. The original poster had a problem, Unity responded quickly with a standard solution for BaaS - letting only the server handle critical data. But it seems the OP isn't accepting this solution, preferring client-based score submissions instead. Kudos to Unity staff for their patience in this.

    One suggestion I would make, though, is to allow Access Control editable by a dashboard interface, similar to Firebase firewall. I haven't really thought about the semantics of such a system though.
     
    IainUnity3D likes this.
  16. wayfarergames

    wayfarergames

    Joined:
    Sep 7, 2013
    Posts:
    26
    I'm happy that the server authoriative stuff exists, and obviously that's better for bigger games - but it's a huge PITA (see comments from Zanthous) when you're making small games and the dev time handling that almost equals dev time on the game itself.

    I've got around 10 games with leaderboards:
    • There are about 5 that use Dreamlo, combined total of about 500 scores and around 30 fake scores that are above the maximum possible score you can get in the game
    • There are 2 that use Unity Leaderboards, as I said in an earlier post there are 1,000 entries- and there are a little over 10 that have scores that are above the maximum possible score you can get in the game
    • The rest use ExploitAvoid. It's a combined total of 8,000 entries, not one of which is above the maximum possible score.
    I have no server authorative code, it's just using the leaderboard I linked in the original post. They are all web games.
    I'm aware that this is anecdotal and different games have different audiences, but it's very easy to implement on Unity's side and requires no extra input from the user. Unity leaderboards are billed as an easy to implement solution, no? Plus Unity themselves said they have no first party tutorials for the server authorative flow.

    Again, I am very happy that the server authorative flow exists, and it's a much better way to handle it - but it is too complex for a lot of people, particularly for game jams. I appreciate that smaller devs aren't really Unity's target market, but it's a straightforward addition that will make life easier for me (and I assume other people :p)
     
    Last edited: Jan 19, 2024
    Tarodev likes this.