Users able to give themselves cash or edit cost of items

[Abronsyth]

Resolved

I don't have much info on this yet, but someone informed me that it's possible for a user to press Shift+F12 and click on their currency amount and then modify it.

Does anyone know how this is possible, and how I can prevent this form of cheating?

 

[Hall of Famer]

oh this... I've done a lot to prevent such behavior from happening, such as in breeding, pound and other scripts when users can cheat by manipulating form values, but looks like I left out this one.

What you can do is to validate the price data with database stored value, if they dont match, clearly the user cheated and you can ban the user for cheating. Or you can just use the database stored price value. I will take a look into the shop class and see what may have caused this.

Edit: After browsing the class files I actually dont see how users can cheat since the price data is pulled from database, not from user input. Can you tell me which page the cheating occurs? I will investigate from there then.

 

[Abronsyth]

I'm hoping the user who reported this to me will actually tell me the username of the one who cheated this way...I'm not sure which value to compare in the database in order to tell?

Now, if I press F12 and change what the amount of currency appears as, it changes how it looks on that particular page, but does not actually change it in the database, so the user only thinks they got away with something, when if fact it does nothing at all.

I'm going to see if the user can provide more information and try to get back to this.

 

[SapphirePhoenix]

Yes, it doesn't actually save. This can be done on lots of other sites as well.

 

[Hall of Famer]

Yeah, thats my thought too. I can change the look of the page by using inspect element, but it wont change the internal database value. Perhaps the user was mistaken?

 

[Abronsyth]

HoF, I'd have to say so after I took a look at things. I'm assuming that one user was bragging about the cheat they discovered, but didn't realize that it wasn't actually a cheat.

Apologies for the false alarm, but I am very relieved it is a false alarm!

 

[Kyttias]

This isn't a problem, BUT if they were to modify other data, especially that in forms, it CAN cause issues. For example, I reported this bug last year. By simply right-clicking and inspecting the quantity field element on the shop page, a user can change the item name field client side and buy items that don't belong to that shop - or any shop, for that matter - so long as they know the item's name. Therefore, validation is necessary to confirm that the item does belong in the shop. I supplied a fix while reporting the bug.

You really don't want users buying out of season items or ones that aren't sold in shops. However, the cost of the item is, luckily, cosmetic only. They can attempt to change it, but the framework knows better and will still charge them the proper amount.

 

[Hall of Famer]

Oh yeah I remember it from Kyttias, the only things user can manipulate are the item and and quantity. There's little point to cheat with item quantity, but itemname can be a problem. Thanks for providing a fix Kyttias, and I hope you all look into it if you use it's shop system.