Possible Scam: Received an email regarding faulty Unity IAP

LandonC · Sep 14, 2021

I received an email regarding a flaw in Unity IAP, it does not seem legit but I thought of sharing it here.

Dear Developers,

We are a group of security researchers at The Ohio State University. We recently performed a study to identify whether the in-app purchasing (IAP) of mobile games developed by Unity can be bypassed in mobile games. An IAP can be bypassed if the payment transaction is verified locally by Unity API (in particular UnityEngine.Purchasing.Security.CrossPlatformValidator.Validate), or there is no verification at all. Such an attack can be launched by either repackaging of the game apps, or rooting the phone, or using virtualization apps such as Parallel Space (which can be easily obtained from Google Play and used by attackers).

During our study, however, we found your game(s) are vulnerable to the payment bypassing attack (or playing without paying attack). As responsible security researchers, we would like to disclose our findings to you, and we hope you will patch your game app soon (e.g., validating the payment in your server side, not locally in the game). We will keep this vulnerability confidential for 6 months (note that when the paper is published, attackers will be able to know how to launch the payment bypassing attacks). Here are the detailed information about your vulnerable game(s):

---(package name: ----, version: 2.4U5) used local verification on payment transactions.
---(package name: ----, version: 20) used local verification on payment transactions.

Please let us know if you have any questions.

Best regards,
Chaoshun Zuo
Click to expand...

Email came from s3.gameresearch@gmail.com

mgear · Sep 10, 2021

Are those your games? Sounds like a realistic bug/vuln though..

still bit strange that they didn't use school email.

LandonC · Sep 10, 2021

mgear said: ↑

Are those your games? Sounds like a realistic bug/vuln though..

still bit strange that they didn't use school email.
Click to expand...

Yeah, those are my games. I believe this is a scam as the versions mentioned are very much outdated. I am using the latest IAP available to me too, so if the IAP is flawed, wouldn't everyone who uses Unity IAP be affected too?

JeffDUnity3D · Sep 13, 2021

We believe the email is well intentioned and likely not a scam. Our IAP receipt validator performs a local checksum and does not validate with Google servers as correctly stated. However, we have not heard of widespread use of the bypass that this researcher has mentioned in actual practice, but it is possible. No validation is ever 100% effective, and we do not make that claim. We are discussing improved server-side receipt validation in a future release. In the meantime, you might consider a service like ChilliConnect or PlayFab to verify receipts server-side. Our documentation is linked below and states:

"Important: While Unity IAP provides a local validation method, local validation is more vulnerable to fraud. Validating sensitive transactions server-side where possible is considered best practice"

https://docs.unity3d.com/Manual/UnityIAPValidatingReceipts.html

LandonC · Sep 14, 2021

JeffDUnity3D said: ↑

We believe the email is well intentioned and likely not a scam. Our IAP receipt validator performs a local checksum and does not validate with Google servers as correctly stated. However, we have not heard of widespread use of the bypass that this researcher has mentioned in actual practice, but it is possible. No validation is ever 100% effective, and we do not make that claim. We are discussing improved server-side receipt validation in a future release. In the meantime, you might consider a service like ChilliConnect or PlayFab to verify receipts server-side. Our documentation is linked below and states:

"Important: While Unity IAP provides a local validation method, local validation is more vulnerable to fraud. Validating sensitive transactions server-side where possible is considered best practice"

https://docs.unity3d.com/Manual/UnityIAPValidatingReceipts.html
Click to expand...

Thank you so much for clarifying!

Mauri · Sep 14, 2021

Also, searching the name in that email brings up quite a few entries that confirm the legitimacy - eg. this and this one.

albert8716 · Sep 30, 2021

We also received this message even though we are already using server-side validation.

We are doing: purchase -> success -> local validation (Unity IAP Validator) -> server validation -> server unlocks content.

Does this mean we don’t have an issue? We assume we were notified because we are also using the local validation first

Is there any reason for us to do the local validation (as we are validating with the server anyway)?

We implemented it based on the example project but we note there's no local validation in this diagram:
https://docs.unity3d.com/Packages/c...72.1425503656.1632354011-576983215.1551664329

Or in this description of server validation:
https://docs.unity3d.com/Manual/UnityIAPValidatingReceipts.html

Many thanks,
Albert

Voxel-Busters · Sep 30, 2021

Always validate your receipts on your backend server to be fail proof!

JeffDUnity3D · Sep 30, 2021

Voxel-Busters said: ↑

Always validate your receipts on your backend server to be fail proof!
Click to expand...

No solution, even on the server, is fail proof.

JeffDUnity3D · Sep 30, 2021

albert8716 said: ↑

We also received this message even though we are already using server-side validation.

We are doing: purchase -> success -> local validation (Unity IAP Validator) -> server validation -> server unlocks content.

Does this mean we don’t have an issue? We assume we were notified because we are also using the local validation first

Is there any reason for us to do the local validation (as we are validating with the server anyway)?

We implemented it based on the example project but we note there's no local validation in this diagram:
https://docs.unity3d.com/Packages/c...72.1425503656.1632354011-576983215.1551664329

Or in this description of server validation:
https://docs.unity3d.com/Manual/UnityIAPValidatingReceipts.html

Many thanks,
Albert
Click to expand...

More validation would never hurt! But typically if you are doing server side validation, local validation is not needed

Voxel-Busters · Sep 30, 2021

JeffDUnity3D said: ↑

No solution, even on the server, is fail proof.
Click to expand...

I see. Wasn't aware of the hacks even with server validation.

Search Unity

Possible Scam: Received an email regarding faulty Unity IAP

LandonC

mgear

LandonC

JeffDUnity3D

Unity Technologies

LandonC

Mauri

albert8716

Voxel-Busters

JeffDUnity3D

Unity Technologies

JeffDUnity3D

Unity Technologies

Voxel-Busters

Search Unity

Unity ID

Useful Searches

Possible Scam: Received an email regarding faulty Unity IAP

Unity Technologies

Unity Technologies

Unity Technologies