Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Bug Server-to-server callbacks can be spoofed easily?

Discussion in 'Unity Ads & User Acquisition' started by ShayP24, Aug 9, 2022.

  1. ShayP24

    ShayP24

    Joined:
    Aug 16, 2021
    Posts:
    1
    Hi everyone,

    I don't know if I've set up something wrong or what, but I followed https://docs.unity.com/ads/ImplementingS2SRedeemCallbacks.html very closely, including the nodejs server at the bottom.

    So everything was going very smoothly, until one user started claiming every 2-3 seconds (even though the ads are 30 seconds long). I could confirm at the time that they didn't have test mode on their device (I force overrode test mode to be off for production on the monetization dashboard settings).

    They anonymously got in touch with me this morning after I disabled the reward ads (presuming they had nothing more to lose/gain) and they started opening up to me about how they were spoofing the requests.

    This is what they were spamming to the Unity Ads API to get rewards:
    https://sourceb.in/HxmhhniDIx (values have been redacted/replaced)

    Even though they weren't actually watching full videos, Unity Ads still sent over valid cid/sid/hmac combinations over to the reward server, not sure if anyone else has run into this or if I've just configured something wrong, but any help would be immensely appreciated.