Giveaway security

raecer · Jul 31, 2016

This is what is being supplied to indiegala servers when a giveaway is created:

gameid: appid from specific steam store app
gamesid: the serial key
gametitle: "headline" for giveaway (can't usually be changed)
gameimg: link to indiegala game server image (can't usually be changed)
game_steam_url: url to steam game
text: description of giveaway
duration: length of time for giveaway
level_threshold: which level threshold giveaway is (can't usually go above your own level)

A malicious user can change any and all of these inputs. The user below chose to change the gameimage and headline, probably for his own amusement.

Example:

https://www.indiegala.com/giveaways/detail/104251

Indiegala should look over the input validation or other security for this or at least remove redundant values. You probably don't need to know both appid and the steam url and you definately don't need to know both appid and the link to a gameimage if you set it up decently.

Since i'm not a bastard, i have not checked what happens if you supply a different steam url and appid. Potentially, depending on how it's set up you could receive the xp from one game, while entirely representing another game. You can be sure people are either already trying or doing this.

At the very least your customers will have a bad experience if you allow things like the link above to happen.
Thats what i think anyway.

baffi · Jul 31, 2016

Originally posted by: raecer said:
This is what is being supplied to indiegala servers when a giveaway is created:

gameid: appid from specific steam store app
gamesid: the serial key
gametitle:

wow that's some crazy stuff here, the guy has gone to a new level of fake giveaways and abuse of the system... :| hopefully the IG notices it and these holes are removed as well as the guy banned.

wmply · Jul 31, 2016

I have got to admit, that's a bit worrying.

I have emailled support asking them to read this thread, so that they are aware of it.

hassat-hunter · Jul 31, 2016

As if the image-less double XP versions weren't bad enough already :/

hassat-hunter · Jul 31, 2016

Seems this kind of abuse is starting to become more common, have a normal blockstorm:

https://www.indiegala.com/giveaways/detail/103461

And here are fakes:

https://www.indiegala.com/giveaways/detail/103475

https://www.indiegala.com/giveaways/detail/103771

Here's another dubious one, title and image don't match... but it's guaranteed???

https://www.indiegala.com/giveaways/detail/103325

baffi · Jul 31, 2016

Originally posted by: Hassat Hunter said:
Seems this kind of abuse is starting to become more common, have a normal blockstorm:

https://www.indiegala.com/giveaways/detail/103461

And here are fakes:

https://www.indiegala.com/giveaways/detail/103475

https://www.indiegala.com/giveaways/detail/103771

Here's another dubious one, title and image don't match... but it's guaranteed???

https://www.indiegala.com/giveaways/detail/103325

I think guaranteed ones are messed up due to IG fault, it all happenned when they had that bug with pages going from 0 to 85 (or any other) for no reason and giveaways redirecting to a totally different page so they don't have control over it since they take those games from their IG library. As for non-guaranteed, there users have total control over the links and thus it's them who change titles\links and abuse it.

raecer · Jul 31, 2016

I think the main point is that something needs to be done code-wise. Bans don't discourage people that don't actually have some profilefeedback to protect. For all we know, this user has multiple accounts.

When it comes to the procedure, indiegala only checks (for example) the list of disallowed games clientside and you can never trust the client to actually be truthful. When the server gets the request, then you must run some sort of validation on the data and see if it matches up to what you're expecting.

I've successfully posted legitimate trades to indiegala, without actually even using a browser. Needless to say, anything can be sent. It's up to the server to then process and clear it before posting giveaways.

I think we all want to avoid captcha's and similar. It's bad for the user experience as well. Just be a bit more careful in the validation.

Edit: I know indiegala uses incapsula to protect their site from scraping but it can't be trusted to do everything. You can send trades/giveaways all day and never be bothered by it (although i hope this doesn't change since i post trades this way and the manual way is horrible work)

wmply · Aug 1, 2016

I have had a reply from Support -

"Thank you for letting us know about this, we forwarded your email to our technicians and they will look in to it as soon as possible."

So hopefully, things might get tweaked sooner rather than later.

raecer · Aug 1, 2016

Thank you. Nice to see moderator activity on the forums again btw

It really helps.

zxc · Aug 2, 2016

I also E-mailed the staff quickly regarding the issue, they gave me the same response. Hopefully the problem gets solved ASAP, I don't have a good feeling regarding the matter. They indeed need a rock solid security on user input validation.

Giveaway security

raecer

Member

Baffi

New member

Wmply

Member

GoldenChangelingRage

Member

GoldenChangelingRage

Member

Baffi

New member

raecer

Member

Wmply

Member

raecer

Member

ZxC

New member