AWS Realtime scripts possible security issues

0

In my quest to learn the realtime scripts i've discovered a possible serious security issue with aws realtime script source. if a client connects to the server but never sends a login packet, the server will still forward any messages from that client to other connected clients, the server fills in the peerID automatically based on the peerID the server was expecting to give the fake client, so they can effectively mascaraed as a fake player.

this means the OnSend callback needs to also be checking that the peerID is a valid connected player, but the default implementation does not do this check. in my opinion the server code itself should already be doing this check before it reach's developer code.

질문됨 3년 전194회 조회
2개 답변
0

Thanks for this. Am looping in the GameLift service team so they can respond.

답변함 3년 전
0

Hey @REDACTEDUSER

You're correct that RealTime Servers currently does not perform checks that the PeerId belongs to a valid PlayerSession while receiving/sending messages. I've created a request with the GameLift team to update the RealTime Server to validate this. RealTime Server Validation of the PlayerSession is currently only performed after receiving a LOGIN packet, and if the client does not send a LOGIN packet (a client that is not using the default implementation of the RealTime Client SDK), they can continue to send messages without further validation.

As you've suggested in your post, the current recommendation for developers is to add checks that the sender PeerId belong to valid sessions to the server script callbacks (e.g. onSendToPlayer, onMessage).

답변함 3년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠