Vulnerability of flash movies in php

dorgon

When the flash games commit the scores to save via php.
Actually, the submitting is vulnerable, because someone will reverse compile the flash movie while will get them from website. On the occasion, they will find the addresses & strings in pages (e.g. save.php?record=1000). And will commit the pseudo-form which will show false scores on it to web server via php.

As the addresses & strings is opened in flash movie (no encrypting), how to distinguish the results will been submitted by web or by flash (I have picked the function getURL() of AS of flash to try, but as same with POST.)?How to restrict the results not by web? How to option for security of encryption?
Remark: AES_ENCRYPT() & SSL must be established on form, but the POST methods of forms will be virtual.

MarkR

You can't really do this.

Well, you could have the flash movie sign the data somehow, by making some sort of crypto hash and sending that with the data; the server performs the same operation and then compares the results - if they're different, the data have been altered.

But there's really no point, because anyone who is determined enough to manually send the POST, will be entirely capable of modifying the data in-memory in the flash movie.

Therefore, because your flash movie is NOT SECURE - i.e., it can be decompiled, modified and recompiled (say multiply all scores by 1000), there is really no way of doing this.

Even if the movie is encrypted and signs its data, that is still not secure because a debugger can do in-memory data modification on it - which will result it submitting a modified (i.e. inflated) score.

I wrote a game online which uses Javascript - this has no special security measures to protect its high score table, and it's been up for ages, and nobody has yet bothered to hack it to the best of my knowledge.

Mark