Notifications
Article
What not to do at the inspector
Updated 6 months ago
76
0
A quick example on what not to put in your property inspector values
A few nights ago I posted my first project on this website thinking that at worst I had opened myself to a tirade of criticism, but less than an hour after posting it I realized I had made a potentially big mistake. The property inspector is a fundamental tool for Unity devs, we all use it when working with our objects and overwriting serialized data from our scripts. The problem I found myself making yesterday however is one that I've figured is a pretty bad idea which can extend to plenty of other things... putting in an authorization token to an API. In this case it was the Twitch api which when connecting to you need to supply multiple parameters, one being the "Oauth" token which gives you access to the API.
After realizing this blunder I tried to see if I could actually get this token in my exported Unity project, in a semi realistic attacker way. I first used a C# decompiler called "DotPeek" to see if I could find the serialized data in the .dll's themselves.
First I checked out "Assembly-CSharp.dll" in the data folder to see what info a potential attacker could get, for those who don't know this is where all your scripts are located in when you export your project as an executable. I didn't expect to get any serialized data but hey!
From here we can just double click the name to decompile the script itself and reveal all the code that we're not supposed to see.
Looks like .net even keeps the variable names intact! from here it's just reading through to some network code to verify it's sending the oauth token in the proper format.
Now, it's just finding where the serialized string is, having read through the Twitch API documents we can see that in order to authenticate one must prefix their token with "Oauth:", and from looking at the code oauth is not being prefixed inside the script itself meaning that the prefix is somewhere with the rest of the token in the exported project. After a bit of string searching through the files I came to a file called 'level1' with the proper prefix. The data is even in plaintext so even someone with notepad could find it with ease.
There it is! My personalized token for the world to see! There are of course remedies to problems like these, the fix in this case is just getting the user to input their own token. However I'm now wondering what stuff can be obtained from other Unity projects posted with lack of regard to security, this writeup wasn't very exhaustive and is only a bare bones example of why using serialized data with the property inspector could potentially harm the author of a project
Here is a link to the decompiler I used: https://www.jetbrains.com/decompiler/ Also a link to the updated project I found this problem on: https://connect.unity.com/p/twitch-wars-v1-0

Tags:
Thomas Harrod
Unity Software Developer/Freelancer - Student
2
Comments