Roll20 uses cookies to improve your experience on our site. Cookies enable you to enjoy certain features, social sharing functionality, and tailor message and display ads to your interests on our site and others. They also help us understand how our site is being used. By continuing to use our site, you consent to our use of cookies. Update your cookie preferences .
×
×

Cookie Preferences

We use Cookies to help personalize and improve Roll20. For more information on our use of non-essential Cookies, visit our Privacy Policy here.
Create a free account

Firebase - Allows direct access to modify your campaign

  1. Community Forums
  2. Bug Reports & Technical Issues
  3. Firebase - Allows direct access to modify your campaign
1336557364
Blazedd
KS Backer
Permalink for 393 Quote
As a fellow web developer I wanted to poke around the clientside code to see what it might tell me. After looking at Firebase I found that anyone with knowledge of how your game is stored will be able to edit, modify, and even delete your campaign. The worst part is the fact that you don't even have to be apart of the game to do this! Look at the source of the page: Find the variable: campaign_storage_path , whatever this is, this will be added to create a url that will look something like this: <a href="http://gamma.firebase.com/roll20/campaign-123-IchangedThisPath" rel="nofollow">http://gamma.firebase.com/roll20/campaign-123-IchangedThisPath</a> Then you will get an interface from which you can edit, delete, and even add data without talking to roll20.net Even if the edit page was removed from public access (hopefully you can whitelist IPs or something) anyone with a little javascript knowledge can use the above information to create their own program locally, live editing the browser, or faking requests to Firebase to wreck someone else's campaign. HOWEVER this has an upside because this means that programmers like me can hook into Firebase to modify the contents like an API, kinda sorta like I was asking for at <a href="http://community.roll20.net/discussion/358/api-structure-suggestions" rel="nofollow">http://community.roll20.net/discussion/358/api-structure-suggestions</a>
1336559063
Henry L.
KS Backer
Permalink for 5884 Quote
See answer #1 in <a href="http://www.firebase.com/faq.html" rel="nofollow">http://www.firebase.com/faq.html</a>
1336562545
Riley D.
Roll20 Team
Permalink for 5891 Quote
This is one of those "I figured someone would poke around and find it eventually" sort of things. The campaign storage path is like a really long password for your campaign. It's extremely secure. You are correct in that someone with that information could potentially modify or delete your campaign. However, that same person would already be in the game with you in the first place, so that's not exactly a new ability/security hole at that point. As Henry has pointed out, there are additional tools incoming from the Firebase folks that should allow me to lock this down further or turn it off entirely. But as you point out, it does make for a really cool way for us to build an API or give you access to the underlying data behind your campaign. So we're not exactly sure what we're going to do with it yet. It may actually end up being a net positive. But for any non-technical folks out there, I would just point out that this doesn't allow "anyone" to edit or destroy your campaign, since you need the campaign storage key first, and it's something that you can only get by actually joining the game in the first place (and I can assure you, there are easier ways to destroy a campaign than this if it's someone that's already a participant). We also take full snapshots of all campaigns every 12 hours, so if something does happen to your campaign, rest assured that all hope is not lost (just get in contact with us and we can restore it for you).
1336562925
Riley D.
Roll20 Team
Permalink for 5892 Quote
In addition, Blazedd, in the future we would appreciate it if you would notify us privately and give us time to fix anything that you think is a security issue (even though this isn't really, it seems like you thought it was based on your title and post content). That's common courtesy, especially given that this is a beta where we *expect* to find bugs and security holes.
1336566325
Blazedd
KS Backer
Permalink for 5895 Quote
Sorry if I brought this to surface where you didn't want it, i just thought that other tech folks might want to chime in or know the ability to use that interface. Personally I like to know because I was able to make a json back up that I am in control of locally.
1336568093
Riley D.
Roll20 Team
Permalink for 5899 Quote
Sorry if I brought this to surface where you didn't want it, As I said, we were considering basing a public API around this capability, so it's not like I'm trying to hide the fact that it's there. I'm just asking that in the future if you find something you think could negatively impact your fellow users, you point it out to us privately first so we have time to fix it. Thanks.
1336570154
Eric D.
KS Backer
Permalink for 5900 Quote
I haven't looked at firebase at all but is there any way to have GM vs player keys to access the data with associated restrictions?
1336572974
Nolan T. J.
Pro
Permalink for 5903 Quote
Eric-- Depending on when Firebase implements security, maaaaybe? But right now... basically it's a set of tools that is far, far beyond the basic user that most people wouldn't even know how to find let alone impact. If your players aren't dedicated coders, they probably won't be messing with this.
1336576831
Eric D.
KS Backer
Permalink for 5909 Quote
Yeah, I just had fun poking around on the site, looks like a pretty sweet tool that I'm adding to my list of cool utilities. I'd be more worried if you didn't have backups but since that exists I'm happy :)
You must Login to your Roll20 Account to post a reply.