Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.
  2. We are updating our Terms of Service for all Unity subscription plans, effective October 13, 2022, to create a more streamlined, user-friendly set of terms. Please review them here: unity.com/legal/terms-of-service.
    Dismiss Notice
  3. Have a look at our Games Focus blog post series which will show what Unity is doing for all game developers – now, next year, and in the future.
    Dismiss Notice

Bug Server-to-server callbacks can be spoofed easily?

Discussion in 'Unity Ads & User Acquisition' started by ShayP24, Aug 9, 2022.

  1. ShayP24

    ShayP24

    Joined:
    Aug 16, 2021
    Posts:
    1
    Hi everyone,

    I don't know if I've set up something wrong or what, but I followed https://docs.unity.com/ads/ImplementingS2SRedeemCallbacks.html very closely, including the nodejs server at the bottom.

    So everything was going very smoothly, until one user started claiming every 2-3 seconds (even though the ads are 30 seconds long). I could confirm at the time that they didn't have test mode on their device (I force overrode test mode to be off for production on the monetization dashboard settings).

    They anonymously got in touch with me this morning after I disabled the reward ads (presuming they had nothing more to lose/gain) and they started opening up to me about how they were spoofing the requests.

    This is what they were spamming to the Unity Ads API to get rewards:
    https://sourceb.in/HxmhhniDIx (values have been redacted/replaced)

    Even though they weren't actually watching full videos, Unity Ads still sent over valid cid/sid/hmac combinations over to the reward server, not sure if anyone else has run into this or if I've just configured something wrong, but any help would be immensely appreciated.
     
unityunity