Security Basics mailing list archives
RE: Securing Flash Games.
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Fri, 12 Dec 2008 09:23:21 +1000
This has me wondering whether it is 'illegal' or 'unethical' to hack these kind of games(non money/fun type) when they are running client-side. I mean, I don't know whether many of the ones I have played have any kind of EULA which says you can't do this kind of re-engineering. The bigger games may well have but not the smaller games that you see at miniclips and the like. (Not that I remember at least) When it comes to gambling games then the money incentive will make sites a bigger target I'd guess-as Dan points out-but the illegality of that seems so much more obvious.
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dan Crowley Sent: Thursday, December 11, 2008 7:45 AM To: security-basics () securityfocus com Subject: Re: Securing Flash Games. Flash, being a technology that runs on the client side, will always be subject to modification. Consider all data coming from the application to be tainted. Furthermore, any sort of encryption that you use will be difficult (if not impossible) to enforce. Any algorithm or key used will still be stored in the flash file, and all it takes is some reversing to pull it out. All of a sudden, users can send messages as if they were the flash game, using your encryption key and algorithm. Even worse, there are more considerations than the strength of the encryption scheme. Let's say, for example, that you have a flash poker game. For the sake of argument, you find some way to make the encryption scheme impossible for the user to break. Then, a malicious user (Let's call him Mallet) decides to run a packet sniffer on his machine. Mallet picks up the packets his computer sends to the game server. He's down $300, and finally manages to win a piddly $5 back. Mallet then isolates the packet sent after winning those $5 and sends it again. And again. And again, ad nauseum, until he's doing very well indeed at poker. There are ways to prevent this, but still... Put as much of the process on the server as possible. As long as the logic is on the client side, it will never be secure. -- Dan Crowley "One machine can do the work of one hundred ordinary men. No machine can do the work of an extraordinary man."
Current thread:
- Re: Securing Flash Games., (continued)
- Re: Securing Flash Games. Feeyo|NixDevs (Dec 10)
- Re: Securing Flash Games. Tim Clewlow (Dec 10)
- Message not available
- Fwd: Securing Flash Games. Michal Lovas (Dec 10)
- Re: Securing Flash Games. Razi Shaban (Dec 10)
- Re: Securing Flash Games. NixDevs | Feeyo (Dec 11)
- Re: Securing Flash Games. Maciej Lisiewski (Dec 12)
- Re: Securing Flash Games. Feeyo|NixDevs (Dec 10)
- Re: Securing Flash Games. Razi Shaban (Dec 10)
- Re: Securing Flash Games. Feeyo|NixDevs (Dec 10)
- RE: Securing Flash Games. Murda Mcloud (Dec 12)
- RE: Securing Flash Games. Pranav Lal (Dec 16)