HP: Billy Wins a Cheeseburger

Sign in or sign up now!
Alert icon
Upgrade to the latest Flash Player for improved playback performance. Upgrade now or more info.
7,886
Loading...
Alert icon
Sign in or sign up now!
Alert icon

Uploaded by on Mar 23, 2009

Billy Hoffman, application security research at Hewlett Packard (HP), demonstrates how one restaurant's online Flash game illustrates the dangers of security vulnerabilities that may inadvertently be placed in Flash applications. No business was cheated in the making of this video. HP now offers a free Flash application security tool, SWFScan to help developers find Flash security vulnerabilities. Download: www.hp.com/go/swfscan

  • likes, 3 dislikes

Link to this comment:

Share to:

Top Comments

  • All he needs is a sign, "Will crack for food." Nice job.

    dennislbrown 2 years ago 5

  • An easy solution would be to use a session key and encrypt the gamestate and let the server decide if you won. Use Diffie-Hellman Key Exchange to get the session key, and as an extra layer of security, prevent you from winning more than X times in Y minutes. If you decompiled the game, you'd still be able to fake the key exchange, but at least the server decides if you won and not the game. And you can't use `strings` to find the shared secret either.

    ZiggyTheHamster 2 years ago 2

see all

All Comments (18)

Sign In or Sign Up now to post a comment!

  • @MSFTMVP Bah! If you are smart enough to beat the system, you deserve to beat the system.

    frazerdavid 2 years ago

  • Isn't it unethetical for HP employees to steal from their clients? They cheated to win the prize, and should not have accepted the food.

    But then again, maybe thats how HP opperates.

    MSFTMVP 2 years ago

  • nommz nommz noomz! YAY HP!

    facefullofflowers 2 years ago

  • uhm 30%.. nevermind... i don't think you could play inside the store to win expensive prizes..

    omgwtfbbq007 2 years ago

  • 95% odds this was Carl's JR's new website. I remember a notice at their stores mentioning being unable to accept some sort of coupons printed from the internet.. From what I had read I thought of them being hacked right away. lol

    omgwtfbbq007 2 years ago

  • You can't create a game that can't be cheated this way, because the model is flawed. Code running on the client computer decides if the client wins a cheezburger; such code can always be subverted by a malicious user. The only way to secure it is to make it so that only a computer you trust decides if the client wins a cheezburger, based on information you trust

    That being said, if the malicious user has to decompile the SWF and steal your shared secret, you've gone as far as you need to.

    IICVX 2 years ago

  • is there anything the restaurant could have done to avoid this tho? in fact, i dont see any way around this at all, even out of flash. at some point, the server needs information about the gamestate, in order to determine when to send a coupon. this is inherently insecure. even if you post gamestates every milestone in the game, this can be duplicated. theres nothing you can do. that said, id love to hear otherwise.

    vertigoalopolus 2 years ago

  • Push Buttan, reciev bakon cheezburger

    TheMadLiteralist 2 years ago 2

  • @dln Sure, but the parent's point is that the restaurant probably doesn't care. They'll save more by having the game made cheaply and occasionally losing out, than they would building the thing properly.

    Your point stands though - it's just this is a facetious example.

    dyefade 2 years ago

Loading...

Alert icon
0 / 00Unsaved Playlist Return to active list
    1. Your queue is empty. Add videos to your queue using this button:
      or sign in to load a different list.
    Loading...Loading...Saving...
    • Clear all videos from this list
    • Learn more