You're looking at our questions archive. This question was last updated almost 2 years ago.

If you're looking for help, head over to the Parse Developers Google Group or check out the tag on Stack Overflow.

Help Google Group Stack Overflow

Prohibit user from changing their own game score?

19 votes 3 answers 7.78k views almost 2 years ago

In a typical gaming app, a client needs to update a high score, and it has to do so by changing an object to which the user has write access. Since API keys are not secret (especially in javascript the user can simply look in the cource code), how do we prevent the user from making his own api call outside of the official client, in order to up his high score (or any other object whose ACL matches his credentials)?

3 Answers

You can track the game score on a separate class that is not writeable by any user. You can then use a Cloud Function to update the user's game score using the Master Key, which would let you modify the score even though it is not writeable by any user.

Héctor, how would go about enabling the Master Key for specific methods defined for Cloud Function. It seems to me that you either toggle it ON/OFF?

- Jamie Chapman almost 3 years ago

Parse.Cloud.useMasterKey() will enable master key access only during the execution of the specific Cloud Code or beforeSave function where it is used:

- Héctor Ramos almost 3 years ago

Héctor, correct me if im wrong. This still doesnt prevent any user from changing ones high score. Since the call to the cloud code is made in javascript, anyone can still see the CloudCode function call and call it at anytime from outside of the official client! if im right, what would you suggest us?

- Newton Guimarães Filho almost 3 years ago

I'm also interested in the answer to Newton's question, how would we prevent the user from executing the javascript after logging in with its own credentials?

- Schmeuk Studios almost 3 years ago

@newton, @marcos. There's nothing you can do about it. If the user can see the request, then they can spoof it. You would have the same problem using your own backend, or parse. Instead of having the function saveHighScore(score), you can have something like _shs(binary_score). This way makes it harder, but still if someone spend enough time, gonna figure it out.

- kev89431 over 2 years ago

This is a vulnerability that exists in using any non-compiled client code language like Javascript. Since the user can see the code, there's really no way to fully prevent a "man-in-the-middle" attack when saving your high score.

- David Rodriguez over 2 years ago

I see with what you @David and @kev mean. But I think i found a solution to this, its using a synchronous ajax request from the index file (home of the webSite) to a custom .php file hosted in my server, so the php file will return the keys. Synchronous because this request will be made right before the time that the parse credentials are set. Also, I made the possibility to change the http url not possible. BUT since im not a php/ajax/web programmer i don't know if this solution will work because i dont know if the "heartless cracker" will be able to make any requests to this php file (holds the master and javascript key) and then make his own call to my cloudCode. So any Suggestions?

- Newton Guimarães Filho over 2 years ago

Newton, there is fundamentally nothing you can do to mitigate this attack. It's not for lack of trying either, it's simply the architecture of Parse is such that clients do have the ability to script on top of your application and make API calls in the context of the logged in user. This could potentially be a target for DDOS attacks from clients sending large amounts of data.

- GN over 2 years ago

Wouldn't support for a SSL/TLS connection to the server mitigate this by removing the plain-text of the code from view? Or am I missing something?

- Creed Erickson over 2 years ago

I would implement this in with sockets and encrypt the score.

I would think using REST with PHP or Python would be more secure than Javascript?