I have a simple racing game which uses the EasyLeaderboard plugin to post the scores to a MySQL Database.
I am running a competition with prizes.
I have noticed a few entries which must be fake, because the times the users have recorded are impossible.
Does anyone have any clue as to how someone would change a score - I've opened up developer tools in the browser, and the score is nowhere to be seen, so can't be changed there.
I don't know where to start?!
If you are giving valuable prizes for best scores, you should not use services like this. You don't even need to be a "hacker" to submit a fake score, there are tools and apps that make this job really easy.
The prize is fairly valuable yes. I just assumed that it would be reasonably secure.
Are there any techniques to minimise this?
You can generate a hashed string from the score value and send it together with the score. Then validate this hash to check if the score is valid. I don't know if EasyLeaderboard allow this though. Still, this will not protect from an experienced hacker.
Hmm Ok thanks for the advice.
Are you sending it using a simple Ajax Post with User+Score?
No - it uses a PHP script which game with the leaderboard plugin I bought.
Develop games in your browser. Powerful, performant & highly capable.
There are more than one way to do that, it's possible to edit the element to change the score amount so your game will post it as a normal/valid score or they can even find the url of your leaderboard and post scores.
The leaderboard only exists within the game - it's called back in via Ajax.
So annoying. I can tell they are fake because the times they are submitting are impossible!
They are not hacking the leaderboard. They are posting fake http-requests with fake scores to the leaderboard. You can't do anything to prevent this. The only solution I know of is to encrypt/hash the scores, but this can still be hacked.
I remembered a story I witnessed a few years ago. A big international travel organization held a contest on their Facebook page. Every day they posted a video clip filled with small clues about some place anywhere on Earth, and you had to find and tag this place on Google Maps. They were giving $1000 to the fastest winner every day and a grand prize of $10.000 on the final day.
I tried my luck a couple of times and it took me about 1-2 hours to find the place. The winning times were under 1 minute! It was impossible to even watch the entire video in 1 minute! So people were obviously cheating. The organizers ignored these accusations until someone posted detailed instructions describing how their contest was hacked. Needless to say, thousands of people who spent days trying to win money were furious..