Users can hack arcade scores
 

This was brought to my attention on my forum: A member discovered this video on how to hack the arcade scores: http://www.youtube.com/watch?v=ySkTfDjoF9k

They tested it out on another forum and have confirmed that it works. The video was created on August 5th. Any hope for a fix?

it's not good... :(

my members loved my games so much. if one them is cheating so how's the users playing honestly?

Shouldnt this post be deleted??

Yes we know about it, but dont broadcast it! :mad:

It's usually pretty easy to tell who's been cheating by score or time played. You've just got to learn to police it properly, I don't think there's going to be anyway to fix this properly as you can you any memory editing program to produce the same results. Tamper data just makes it a whole lot easier for those who don't know what their doing.

Isn't it just like, if the score seems too high for the amount of time they've played, call them on it because it's either a massive game bug or an altered score? Besides, there are plenty of ways to cheat on arcade games, and just this one isn't that new...

Can't this be fixed ? it's ruining my Arcade... we used to give prizes, but now... i'm about to shut it down completelly...

<font color="Purple">this sucks thanks for letting me know</font>

Zeropage is working hard to prevent cheating, some cheating methods are already "blocked", but seems like some still work. :(


v32 games and that new timeout thing have really helped but there's a new way to cheat that few of my members have found out. And i'm about to report it to Zeropage right now..

Thx... we can only hope...

Same. The timeout feature doesn't always work either. Cause on some games tamper data can change the timeout.

He needs to step back and rethink the system. I'd suggest a php proxy. Although, that would mean all the games would be un-useable. darn $_GET function.

Well games can be converted, I think getting rid of cheaters is the most important thing for now.. :(

This is widely known and nobody has been able to come with a solution other than saying 'use v32 games'. Unfortunately if you have several hundred games chances are there are many v2 games amongst them as these are easier to convert and these are the ones prone to being tampered.

I have caught a couple of members this past month only because they logged really short times against the games. I strongly suspect other players who are being more coy and playing a full game (so the time looks normal) and tampering the data to get scores just above the current highscore and these are next to impossible to prove.

This really needs to be seriously addressed as it makes the whole scoring system completely pointless.

Did you get a response from Mr Z regarding the info you sent him Stifmeister?

there's a simple solution. recompile games to send multiple variables to be check server side.

For instance. Sending time played and the score. Then adding the two together, then hashing it. Then checking server side all those 3 variables to see if they are altered or not.

Not yet.



Well I hope that's easy to make. :):up:

latest v2.6.7+ also has something iomplemented to make the use of this "tamper data" more difficult, as the arcade also checks the time the game needs to submit the score.

-> this only works for all secured v32/v33 games ! (those with the yellow "!" in the AdminCP Gamelist)

So it is much more difficult as you need to be VERY quick using tamper-data or the session times out :D

This is something I have been wondered about for some time.

Is it not so that as long as the $FIXIE variable in the beginning of arcade.php is set to 1 (as it seems to be as default) this whole v32 security thing is pretty much ignored?
Which makes it just as simple to cheat on v32 games as the old games?

Thats how I understand it anyway. Please correct me if I am wrong.
I also understand that it's probably a reason for this variable being there in the first place. Even though I haven't experienced any problem myself when having it set to zero (only on a test board with no traffic)

/SK

What about the 1000's of v2 games that most sites still use? Are you saying those are no good?
What about the info Stifmeister sent you about a new way to cheat that his members found?

Btw if I didn't mention this before, the new way works for both v2 and v32/v33 games. :(


I'll try to get more info how it exactly works, I know the program but I haven't tested it myself yet.

Good morning all,

I know I don't post much on the site. Work, kids, and running my own site and home business will do that, lol. Yes, when I read this article I became a concern for me as well. The only thing we can do is monitor the time logged on a specific game for the high-scoring player. I announced that game cheating IS being monitored, and if cheating is discovered that the person caught will be perminately banned from the site. This seems to work as I have not had any cheating since. Now it is to be also noted that the game Ghost Rider does glitch a high-score that is not the fault of the player. That has happened on my site once.

What about the games included with the mod? Those aren' t v32 games, are they? I cannot see the yellow "!".

How can you tell if so cheated? We have an ongoing tournement and one user has a so much higher result than the rest. He is almost 10x better than the others.

And it is weird that the person holds the current highscore on that game and the all-time highscore is much higher and also from that person. I think that the all-time highscore has been achieved recently whereas the current highscore is older. Did that person cheat?

even the games with a ! in the list seem to be vulnerable to users altering their scores. I don't really see an easy way of fixing this, though.

Well, I have been watching the user logs, but with some of the games the game score does not match with possible scores for the time duration the user played. For instance a user scoring 1000000 points in 20sec's is impossible in most games. Or if you know there are only a certain amount of enemies or objects to destroy in a given level, and the user manages to score much higher without ever going past that level... those are just some of the indications cheating is going on.