10

HTML5 will be widely adopted as a way to design games, is the prediction. But I have my questions about this: how can an online HTML5 game ever be secure?

Let me give you an example: imagine this platform game where you gain badges when you win, for example, an extremely hard level. When you have actually won this badge, a request is made to the server, in order to update your online profile. Isn't it extremely simple for a hacker to just send this request and gain the badge, without playing the actual game? Because:

  • The client-side source code is visible and impossible to hide
  • It is possible to execute Javascript from the command-line

I don't see a way to prevent this hacker from gaining his badge... Is there any way to make this game safe?

Harmen
  • 22,092
  • 4
  • 54
  • 76
  • Flash games have the same problem. Related (Flash): http://stackoverflow.com/questions/477258/how-to-cheat-and-avoid-cheating-in-flash-games – Pekka Aug 09 '10 at 09:03
  • Related (Flash): http://stackoverflow.com/questions/1666213/flash-games-hack-score-is-49700-how-to-improve-flash-games-security – Pekka Aug 09 '10 at 09:03
  • Related (nearly duplicate): http://stackoverflow.com/questions/2785414/is-flash-actionscript-any-safer-than-javascript-for-persistent-online-game – Pekka Aug 09 '10 at 09:03
  • 2
    I don't see how it's essentially any different than desktop or even console gaming. – aib Aug 09 '10 at 09:04
  • Related (nearly duplicate): http://stackoverflow.com/questions/2785323/does-html5-make-javascript-gaming-safer-more-secure – Pekka Aug 09 '10 at 09:04
  • 1
    @aib the essential difference is that data is sent from and to the server and this data can be easily eavesdropped on. – Pekka Aug 09 '10 at 09:05
  • ALL games have this problem. Just because a game is compiled to byte- or machine-code does not stop attacks on its integrity. Anything, and I mean _anything_, that the server can't exercise direct, total, and _exclusive_ control over is open to attack. There's a reason Valve has to spend so much time and effort on their "Valve Anti-Cheat" stuff for their games -- it's defending against something that can never be completely and permanently defeated. – Nicholas Knight Aug 09 '10 at 09:05
  • Related (very good): http://stackoverflow.com/questions/73947/ – Pekka Aug 09 '10 at 09:06
  • 1
    @Pekka and others: Great, thanks! Enough to read and I didn't think about the fact that all games have this problem! – Harmen Aug 09 '10 at 09:11

3 Answers3

4

Yes, if you designed your game like that, it would be very easy to hack. But why is this specific to HTML5? You could do that with any type of game that was written like that. Even with a native desktop game you could still fake the request. The only difference is that faking HTTP requests is easier than reverse-engineering requests made by a desktop game.

The solution would be to add some kind of "validation" to the victory--the actual algorithm would vary from game to game. Maybe have the server track the game's progress while the user is playing. If it were a game of chess, for example, you could send every move to the server and have the moves validated to make sure they work out correctly. This gets more complicated with real-time games, though.

But whatever algorithm you decide to use, it will be defeated. Even the chess validation that I just mentioned could be bypassed: you could just "create" your own valid game of chess and just send the same moves to the server every time, ensuring that the game was valid. (This is assuming that the player is against a computer--having two humans play against each other would make things easier.)

Sasha Chedygov
  • 127,549
  • 26
  • 102
  • 115
  • Ok, thanks... In this chess game case it would be secure if the computer acts as a referee, receiving moves, checking if they're valid and checking if the current game is a win for one of the players. But it's harder to build such a referee for a platform based game... – Harmen Aug 09 '10 at 09:18
  • @Harmen: Right, which is why big companies spend hundreds of thousands of dollars trying to stop attempts to hack their games. It's not easy. And the more complex and powerful your anti-cheat mechanism becomes, the more expensive it becomes: using more server resources, taking up more of your time, etc. – Sasha Chedygov Aug 09 '10 at 09:30
2

It's no different from any Flash-based game or indeed a game with a downloadable client like World of Warcraft. Anything integral to the game's fairness has to be handled on the server.

Kylotan
  • 18,290
  • 7
  • 46
  • 74
  • Oh, so true. This has been a problem in multiplayer gaming since its inception. The talk of World of Warcraft reminds me of the episode of Software Engineering Radio from back in 2007. Skip to 20 minutes in http://www.se-radio.net/2007/08/episode-66-gary-mcgraw-on-security/ – Cheekysoft Aug 09 '10 at 14:48
1

One way that HTML5 can be more secure is that you can change it at any time. So let's say you have an AJAX call to provide a user with a reward. You could periodically change the signature of this call, so that 'cheats' would no longer work. Be sure to keep track of players that are still using the old API, and you can penalize the players using the cheats.

No, this won't solve all of your problems, and there are ways the most savvy players will be able to work around this (depending on how elaborate your changes are), but it does provide some way to deal with this, especially if your game requires significant investment. Players may not be willing to risk their progress if they feel like there is a chance they'll be caught. Just make sure you have a clear code of conduct that details punishments for cheating.

Jon Nichols
  • 2,211
  • 1
  • 20
  • 21