AWS Realtime scripts possible security issues

0

In my quest to learn the realtime scripts i've discovered a possible serious security issue with aws realtime script source. if a client connects to the server but never sends a login packet, the server will still forward any messages from that client to other connected clients, the server fills in the peerID automatically based on the peerID the server was expecting to give the fake client, so they can effectively mascaraed as a fake player.

this means the OnSend callback needs to also be checking that the peerID is a valid connected player, but the default implementation does not do this check. in my opinion the server code itself should already be doing this check before it reach's developer code.

已提问 3 年前194 查看次数
2 回答
0

Thanks for this. Am looping in the GameLift service team so they can respond.

已回答 3 年前
0

Hey @REDACTEDUSER

You're correct that RealTime Servers currently does not perform checks that the PeerId belongs to a valid PlayerSession while receiving/sending messages. I've created a request with the GameLift team to update the RealTime Server to validate this. RealTime Server Validation of the PlayerSession is currently only performed after receiving a LOGIN packet, and if the client does not send a LOGIN packet (a client that is not using the default implementation of the RealTime Client SDK), they can continue to send messages without further validation.

As you've suggested in your post, the current recommendation for developers is to add checks that the sender PeerId belong to valid sessions to the server script callbacks (e.g. onSendToPlayer, onMessage).

已回答 3 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则