NW.js Is Vulnerable (Developer Tools Can Be Accessed!)

Post reply
0 favourites
From the Asset Store
Crafts & Tools - Sound Effects
$9 USD
Make your craft game come to life with this sounds :D
Alan Dalcastagne's avatar
Alan Dalcastagne

  • Problem Description

    It is possible to access the developer tools by right clicking and inspecting form elements.

    Since inputboxes are mandatory for text input, users could inspect and "hack" their way through to the games mechanics. So this could be seen as a major security problem.

    Attach a Capx

    Get a basic example HERE.

    Description of Capx

    Includes the most common form elements that can be tested.

    Steps to Reproduce Bug

    • Open the capx or create a new project with any form element in it
    • Right click on one of the form elements
    • Click on "inspect" and gain full access to the developer tools

    Observed Result

    I was able to gain access to the developer tools and many more options.

    This could make it possible for users to run JS commands and other things.

    Expected Result

    Right clicking shouldn't open up any menu and should always be blocked!

    Affected Browsers

    • NW.js: (YES)

    Operating System and Service Pack

    Windows 7 with latest updates and up to date drivers.

    Construct 2 Version ID

    Newest release r233 Steam release. [Personal Edition]

    Additional maybe useful information:

    • NW.js version: v0.16.0 (Chromium 52)
    • Checked C2 data with the Steam software data check system (0 Errors Found)

  • Just export into a non-developer version of NWjs - ie the NORMAL and not the SDK options.

  • Just export into a non-developer version of NWjs - ie the NORMAL and not the SDK options.

    Thanks for the suggestion but I'm rather looking for actions to fix this problem and not for any workarounds.

  • Ok..... There is not a problem with c2 or NW.

    There are 2 versions of NW available - the one that comes with c2 is the developer (SDK) version. That version permits you to access the developer tools because - it's for developers. If you right click on the NORMAL version of NW then you cannot inspect / open the dev tools becasue they are not included in the build - they are not there to open.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads

  • Ok..... There is not a problem with c2 or NW.

    There are 2 versions of NW available - the one that comes with c2 is the developer (SDK) version. That version permits you to access the developer tools because - it's for developers. If you right click on the NORMAL version of NW then you cannot inspect / open the dev tools becasue they are not included in the build - they are not there to open.

    I get it but why does C2 export the projects with the SDK version then?

    It makes no sense for me because I have no background information about all the processes.

    So I guess this could be turned into a must-have suggestion for exporting NW.js projects using the non-SDK version?

    Either way, the current situation is not acceptable for me and should be investigated by Ashley.

  • Closing as this is not really a vulnerability, it's no more a problem than the fact you can open Chrome dev tools on any page. It's there by design to help you diagnose any issues with your game, and includes the usual profiler, timeline etc. Even if you removed it, there are still easy ways to "hack" a game, it's not really relevant to that.

  • Closing as this is not really a vulnerability, it's no more a problem than the fact you can open Chrome dev tools on any page. It's there by design to help you diagnose any issues with your game, and includes the usual profiler, timeline etc. Even if you removed it, there are still easy ways to "hack" a game, it's not really relevant to that.

    Not really helpful but acceptable response.

    A well known community member going by the name of Madspy found a real solution for the problem, by simply adding "--disable-devtools" to a json file.

    I don't want to be rude but that's the kind of support that I would like to see.

  • TheRealDannyyy There's no need to worry about devtools. if you want to start worrying about people messing up with your game then open your "package.nw" with winrar (for Total Commander users just press enter on it or double click left mouse button) . NW.js does absolutely nothing to make your game and game assets secure. Everyone can in literally 2 seconds steal all your graphics, sounds, music, code etc.

  • TheRealDannyyy There's no need to worry about devtools. if you want to start worrying about people messing up with your game then open your "package.nw" with winrar (for Total Commander users just press enter on it or double click left mouse button) . NW.js does absolutely nothing to make your game and game assets secure. Everyone can in literally 2 seconds steal all your graphics, sounds, music, code etc.

    That is EXACTLY what we were talking about with Madspy yesterday, my assets are open for grabs basically.

    To be honest, I stopped caring about that for now as it seems like nothing will or can be done about that.

  • It's the same for html5 web exports, they just have to know where to look.

    In fact all someone needs to show your game somewhere else is to know where the index file is.

    Its up to the host to block that kind of thing, which of course may also limit the games functionality.

    Its up to you to sitelock your games, and of course they don't provide that information readily.

    Not sure htf you're supposed to do that with nwjs.

  • It's the same for html5 web exports, they just have to know where to look.

    In fact all someone needs to show your game somewhere else is to know where the index file is.

    Its up to the host to block that kind of thing, which of course may also limit the games functionality.

    Its up to you to sitelock your games, and of course they don't provide that information readily.

    Not sure htf you're supposed to do that with nwjs.

    Im my case only the NW.js part would be important.

    I find it very concerning that the exported end-product lacks in security, I hope that C3 brings changes to that.

    I remember a few years ago, I found a clever way of security for open art assets like these.

    It was some sort of software creator (cannot remember the name of it)

    and the way that their software handled this problem was by injecting a watermark layer to all art assets.

    So can guess the process was structured like this:

    1. Load asset with watermark

    2. Remove watermark

    3. Show asset inside the software without watermark

    I have no clue how they managed to create a system like that because I was unable to remove the watermark,

    using any kind of image editing software with layer support. (e.g. Photoshop, Paint.Net)

    I don't want to be rude with this suggestion either, I just want to give an example on how to secure assets.

  • I'm not sure what you think watermarking will do.

    People don't steal assets, they steal entire games.

  • I'm not sure what you think watermarking will do.

    People don't steal assets, they steal entire games.

    I want to secure my art assets, at least that way we could stop the "inexperienced" pirates from stealing and making their copy-cat games with our assets.

    You cannot stop advanced game pirates, that's impossible just look at the big guys with their AAA games and security systems, in which they invest thousands of dollars monthly.

    It took them like what, 4-5 months to crack their cryptions and security layers?

    Anyway, asking for fully "pirate save" C2 games would be too much I think.

  • TheRealDannyyy

    If you don't want to distribute in Steam then you could try Enigma Virtual Box as described in the NWjs Github repository (it will hide your NWjs files inside an exe file).

    As Ashley was informed in his question to the NWjs gurus here 2 years ago, there is no point in obfuscating or hiding any game assets - if your game can decrypt the assets then so can a hacker. Thus your best bet is to simply leave everything in the package.nw file, which will deter most casual investigators.

    As to if there is anything else you can do - that really depends on what sort of piracy you wish to prevent... But, if your game is on Steam then it can only be played on Steam - by registered Steam users - because the Steam plugin checks for a Steam client login. Thus any game you make for the Steam platform will only be played by people who have bought it.

  • ...

    As Ashley was informed in his question to the NWjs gurus here 2 years ago, there is no point in obfuscating or hiding any game assets - if your game can decrypt the assets then so can a hacker. Thus your best bet is to simply leave everything in the package.nw file, which will deter most casual investigators.

    Good to read that there was at least an attempt to prevent that.

    As to if there is anything else you can do - that really depends on what sort of piracy you wish to prevent... But, if your game is on Steam then it can only be played on Steam - by registered Steam users - because the Steam plugin checks for a Steam client login. Thus any game you make for the Steam platform will only be played by people who have bought it.

    And then there are fake Steam clients that only require the game files, however it's good to know that Madspy is giving the pirates a good fight, with his ways of protection inside his Steamworks plugin. I guess in the end I will have to rely on nice and honest customers, that support you and your games.

Post reply
Return to board index
Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)