0

I have a game with a worldwide highscore feature. It uses the firebase database, and writes the user's score if it is the highscore. The rules state that anyone can read or write, so other people can view the highscore.

My problem is that it's easy to manipulate the highscore without actually getting a score. How can I make it so when you achieve a new highscore, it is written to the database, but if you go into the console and change the data, it won't allow you to change it?

if (score > worldScore) { database.ref().update({highscore: score}); }

You can see that it is very easy to change the data.

Improve this question
1
  • Please show some code. Commented Apr 3, 2018 at 23:56

3 Answers 3

Reset to default
1

In the Firebase console, there is never any restrictions on what you can read or write in the database. Security rules never apply there.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'm pretty sure they mean the browser console, not the firebase console.
@DanielBeck Yes, I meant that someone can go into the JavaScript console and change the data in the database.
1

Strictly speaking, unless you involve some serverside component that can one way or another confirm the score was achieved legitimately, this is not possible. Clientside data is always subject to user manipulation; any confirmation checks on that data which you perform on the client would also be subject to user manipulation.

(As for how to actually perform that serverside confirmation: it'll depend on the details of the game, but one way might be to have the client periodically send significant game data to the server; if the server can determine that any of the data has changed in ways that should be impossible according to the game rules -- like a score jumping too far in too short a period of time -- then ignore any future score submissions from that user. Even this isn't perfect: the user can still cheat by manipulating the data that gets sent in that periodic poll, but they'd have to keep their changes at least within the bounds of plausibility.)

Improve this answer

Comments

0

Typically you'll want to store not just the score, but also the way the player achieved that score. For example: if it is a board game, write their moves in addition tot he result. If you have both you can:

  1. Verify that the score they wrote is indeed the score that is gotten by applying the moves.
  2. Perform some analysis to detect if the moves seem likely to be computer generated.

Both of these processes are cases of "trusted code", i.e. code that should be running in a trusted environment. For this you can use either an environment you control (a private server, your laptop, etc), Cloud Functions for Firebase, or (in some cases) Firebase's server side security rules. Which ones are feasible depends on your exact use-case, and your available time.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.