0

I'm new to the world of Socket io, and was wondering if their are security issues with this:

I'm also using Coffeescript.

Server.

io.sockets.emit('UserInfo', {player1: AllData1, player2: AllData2})

AllData1 is basically player1's sensitive information, and AllData2 is player2's sensitive information.

Client.

 myName = 'snugglePuff'

 socket.on('UserInfo', (data) ->
        if data.player1.name = myName
          alert(data.player1.secret)
      )

So my question would be: Seeing as the server is broadcasting to every socket that is connected, would "player2" somehow using their browser be able to see data.player1.secret?

2 Answers2

0

Yes, that is a massive security issue.

Anything you broadcast can be seen by every client. It would be trivial for a user to edit the script(s) on their version of the page and scrape the broadcast for extra data such as this.

If you have to send sensitive information, make sure it goes only to its owner. Alternatively, don't send anything sensitive and look into ways of keeping all the sensitive stuff server-side (e.g. sessions with a securely randomly generated ID to identify each user).

  • Hmm, I thought once the client js file loads a user won't be able to do much with it. They would have to refresh the page which would just give them the same "myName = snugglePuff" variable wouldn’t it? How does player2 on his browser able to access or see "data.player1.secret"? when the alert will only happen if it matches 'snugglePuff', player1's name? I'm having a hard time wrapping my head around this... –  Oct 20 '17 at 10:40
  • In browser, if you inspect the page you can add a script. The user could very easily get rid of the if statement or modify it to suit them and then can just wait for the broadcast. A good rule of thumb for web security is to assume that the client can bypass client-side security checks. –  Oct 20 '17 at 10:44
  • Even if it is in an external js file? –  Oct 20 '17 at 14:19
  • Yes, even if it's external. Try inspecting your page (opening developer tools) and looking in the 'Sources' tab, it will show a list of all the external scripts the page uses. You'll find that you can add things to the scripts. –  Oct 20 '17 at 14:27
  • And actually, even without adding anything to the script, a user could just set a breakpoint to be tripped when a broadcast is received and then look through the data at their leisure (e.g. Chrome has this feature). Point is, there are many ways the data could be intercepted, so don't broadcast it in the first place. –  Oct 20 '17 at 14:41
0

We have many way to send to clients,

So in your code, the player2 can see the player1.secret.

// sending to sender-client only
socket.emit('message', "this is a test");

// sending to all clients, include sender
io.emit('message', "this is a test");

// sending to all clients except sender
socket.broadcast.emit('message', "this is a test");

// sending to all clients in 'game' room(channel) except sender
socket.broadcast.to('game').emit('message', 'nice game');

// sending to all clients in 'game' room(channel), include sender
io.in('game').emit('message', 'cool game');

// sending to sender client, only if they are in 'game' room(channel)
socket.to('game').emit('message', 'enjoy the game');

// sending to all clients in namespace 'myNamespace', include sender
io.of('myNamespace').emit('message', 'gg');

// sending to individual socketid
socket.broadcast.to(socketid).emit('message', 'for your eyes only');
Le Dinh Dam
  • 112
  • 7