Facebook Apps are annoying. Most of them at least. I’ve added a few for fun, but will probably remove most of them in the future. One such App is the Pets application. It’s behaviour is two-fold, on the one hand it’s a pet that you can show off on your page (not really — see 2nd point), and you can also dress it up in armor and weapons by fighting monsters and leveling it up (RPG aspect).
It’s not a very sophisticated RPG, and after playing it awhile I basically understand how it was implemented. The game relies heavily on equipment as it provides you with damage and armor. The damage you deal is basically within a range minus your opponents armor. I have a pet whose armor is decently high, but damage is quite low; so in order to kill enemies, I have to click many, many times (you click once for an attack and another time for defend). It is because of this endless clicking that I got pissed off and decided to hack the game.
One of the problems with these Facebook Apps is that a ton of people are using them at the same time; usually that overloads the server. So when you design the app, you probably want to minimize the amount of requests to the server. If you’re building a fighting app which involves tens of clicks each battle, you probably don’t want to ask the server for information on each attack. After some investigation, I found out I was right; Pets computes its fight results on the local computer. After that, it was an easy jump to execute some Javascript to instantly kill any monster I faced.
Anyways, the morale of the story is to never execute secure code client side, you can’t obfuscate security as someone will spend some time and hack it.
Hi! and welcome to the eclectic personal blog of Kevin Quan. Come in, stay awhile, peek into the nooks & crannies, and learn a bit about me and my interests.