AWS Realtime scripts possible security issues

In my quest to learn the realtime scripts i’ve discovered a possible serious security issue with aws realtime script source. if a client connects to the server but never sends a login packet, the server will still forward any messages from that client to other connected clients, the server fills in the peerID automatically based on the peerID the server was expecting to give the fake client, so they can effectively mascaraed as a fake player.

this means the OnSend callback needs to also be checking that the peerID is a valid connected player, but the default implementation does not do this check. in my opinion the server code itself should already be doing this check before it reach’s developer code.

1 Like

Thanks for this. Am looping in the GameLift service team so they can respond.

1 Like

Hey @slicer4ever, thanks for pointing out this issue.

You’re correct that RealTime Servers currently does not perform checks that the PeerId belongs to a valid PlayerSession while receiving/sending messages. I’ve created a request with the GameLift team to update the RealTime Server to validate this. RealTime Server Validation of the PlayerSession is currently only performed after receiving a LOGIN packet, and if the client does not send a LOGIN packet (a client that is not using the default implementation of the RealTime Client SDK), they can continue to send messages without further validation.

As you’ve suggested in your post, the current recommendation for developers is to add checks that the sender PeerId belong to valid sessions to the server script callbacks (e.g. onSendToPlayer, onMessage).