Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cheating through the javascript console #90

Open
brandon-gong opened this issue Mar 31, 2020 · 2 comments
Open

Cheating through the javascript console #90

brandon-gong opened this issue Mar 31, 2020 · 2 comments

Comments

@brandon-gong
Copy link

The answers to questions can be accessed through the javascript console, for example

$o.answer

Will show the answer in the console.
Users are able to take advantage of this by buzzing immediately or after 1-2 words have been read. They can also circumvent the ban hammer by stealing 4-5 questions, waiting for a while, and repeating. Furthermore, even if they are successfully banned, they can simply get back in using a VPN or something and continue disrupting the experience for others.

Today was the second time I have encountered such a kind of cheater, so I was curious to see how they did it. I found the above trick almost immediately, and I wouldn't be surprised if there were other ways to exploit the console.

Some suggestions:

  • Allow buzzing in immediately before even a word of the question is read and answering correctly to be a bannable offense.
  • Don't store the answer in a string that is attached to some global object, or at least somehow obfuscate the string so that its not immediately obvious what the answer is. I bet that making it even slightly more inconvenient to find the answer would dissuade 99% of console cheaters. It definitely doesn't have to be any kind of super secure complicated encryption or anything.

Are you open to pull requests? I'd be interested in trying to contribute. Otherwise, I just wanted to make you aware of this small little exploit so you can resolve it on your own time if you wish.

Also, I just wanted to say thank you for your work. Protobowl is super fun and a nice tool for reviewing and staying sharp on things. I highly appreciate it!
@nathanielbd
Copy link

An even more problematic console exploit is setting that user's id to a certain string so that they get escalated to ninja privileges. This is pretty easily done in the console with the id being global.

There are also other exploits like the function for changing the question (and thereby revealing the answer) are global, but they are obfuscated. I'm deliberately being vague, but either way the system is vulnerable to cheaters without much effort.

I'd also be interested in contributing if you are open to pull requests.

@AKushWarrior
Copy link

This seems pretty harmless. I think that, because there's usually a social incentive to not cheat in private ProtoBowl rooms, this is only a significant problem in public rooms. Even then, going to such lengths to cheat on the practice for a real competition seems like a non-issue, because most players don't regard success at Proto as the main incentive (at least in my experience).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brandon-gong @nathanielbd @AKushWarrior