as days pass by, by Stuart Langridge

scratched tallies on the prison wall

There are lots of games written in Flash out there on the net. And there are lots of them that have high-score tables. And there are lots of those that are lame, in that you can get any score you want. Why? Because they don't bother with even the most rudimentary security, instead relying on you not having the source code to the files to see what they do. In a world with a Flash disassembler, that's a very, very naive assumption.

Step back a sec. What exactly am I talking about here? Well, Flash games that have a high-score table have to have some way of storing the high-score that you've just got back to a file somewhere. There are lots of ways that they could do this, but a great deal of them choose one specific way; call a file on the server with your name and high score. So, you play whichever game it is, you get a great score, and the Flash game asks for your name (with suitably adulatory commentary). It then makes a request for a URL that looks something like http://www.lamegameserver.com/lamegame/setScores.php?name=YourName&score=YourScore. So, there's nothing stopping you just visiting that URL directly in your browser, with whatever names and scores you like. No checking done. That's pretty appalling.

"Ah,", I hear you cry, (well, I probably don't actually hear you cry "ah", but you're no doubt thinking it), "but I don't know what that URL is, do I?" Not so. Remember, every time you find yourself saying, that's secure as long as we keep this detail of how it does it secret, you're using security through obscurity as a substitute for real security, where everyone can know how you do what you do and still not be able to affect it. The Flash file itself must know what that URL is. So, run off to flasm.sf.net and grab their Flash disassembler, a very neat little tool. Grab the Flash file from the website (View Source on the page that embeds it, and look for an <object> tag; it should refernce a file called somethingorother.swf. Download that by visiting it directly in your browser. Then run flasm on it and inspect the output. What you're seeing is Flash assembly language, but it's pretty easy to understand. Look for a high_scores function or something of that sort. Possibly easier, search the source for "http" and find all the URLs therein. Then look to see which URL it calls and call it yourself.

An example (the Flash game from which it came shall remain unidentified). This extract is about halfway through the disassembled file.

    frame 20
      constants 'userName', 'userEmail', 'checkEmail', 'str', 'sendScores.php?na
me=', '&score=', '_level100', 'score', '&email=', '_root', 'path', 'this', 'mess
age', 'sending score', 'Selection', 'setFocus', 'please enter valid email, cheer
s mate.', 'toUpperCase', 'please enter your name, cheers mate.', 'i', 'emailList
', 'length', 'addy', ' ', 'indexOf', '@', '.', 'lastIndexOf','http://lamegame.com'
      function send ()
        push 'userName'
        getVariable
        push UNDEF
        equals
        not
        not
        branchIfTrue label3
        push 'userEmail'
        getVariable
        push 1
        push 'checkEmail'
        callFunction
        not
        branchIfTrue label1
        push 'str'
(1)     push 'sendScores.php?name='
        push 'userName'
        getVariable
        add
(2)     push '&score='
        add
        push '_level100'
        getVariable
        push 'score'
        getMember
        add
(3)     push '&email='
        add
        push 'userEmail'
        getVariable
        add
        setVariable
        push '_root'
        getVariable
        push 'path'
        getMember
        push 'str'
        getVariable
        add
        push 'this'
        getVariable
        loadVariables
        play
        push 'message'
        push 'sending score'
        setVariable
        branch label2

Notice how on lines 1, 2, and 3, we construct a URL (the lines after these simply "push" the current values of the Flash variables into this string too. Note also the URL in the constants section, which is presumably where the sendScores.php file lives. So, we just visit http://lamegame.com/sendScores.php?name=LameHacker&score=1000000&email=lh@lamelame.org and there we are in the table.

The first conclusion to be drawn from this is that anyone using this to win competitions or look good is a bit pathetic, really. This is not hard; it's the equivalent of trying all the car doors on a street. Find something more constructive to do than 0wning high-score tables, you know it makes sense.

The second conclusion is that, as Macromedia continue to try and position Flash as an application development environment rather than something for games and banner ads, Flash developers are going to have to relearn the lessons of security that CGI developers did, or they're going to pay a big price when something more important than a game is developed in Flash.

© sil, December 2002