NW.js Is Vulnerable (Developer Tools Can Be Accessed!)

Bugs will be moved here once resolved.

Post » Sun Aug 14, 2016 2:59 pm

Problem Description
It is possible to access the developer tools by right clicking and inspecting form elements.
Since inputboxes are mandatory for text input, users could inspect and "hack" their way through to the games mechanics. So this could be seen as a major security problem.

Attach a Capx
Get a basic example HERE.

Description of Capx
Includes the most common form elements that can be tested.

Steps to Reproduce Bug
  • Open the capx or create a new project with any form element in it
  • Right click on one of the form elements
  • Click on "inspect" and gain full access to the developer tools

Observed Result
I was able to gain access to the developer tools and many more options.
This could make it possible for users to run JS commands and other things.

Expected Result
Right clicking shouldn't open up any menu and should always be blocked!

Affected Browsers
  • NW.js: (YES)
Operating System and Service Pack
Windows 7 with latest updates and up to date drivers.

Construct 2 Version ID
Newest release r233 Steam release. [Personal Edition]

Additional maybe useful information:
  • NW.js version: v0.16.0 (Chromium 52)
  • Checked C2 data with the Steam software data check system (0 Errors Found)
ImageImageImage
B
61
S
22
G
78
Posts: 646
Reputation: 44,755

Post » Sun Aug 14, 2016 3:07 pm

Just export into a non-developer version of NWjs - ie the NORMAL and not the SDK options.
A big fan of JavaScript.
B
74
S
20
G
69
Posts: 2,214
Reputation: 43,850

Post » Sun Aug 14, 2016 3:10 pm

Colludium wrote:Just export into a non-developer version of NWjs - ie the NORMAL and not the SDK options.

Thanks for the suggestion but I'm rather looking for actions to fix this problem and not for any workarounds.
ImageImageImage
B
61
S
22
G
78
Posts: 646
Reputation: 44,755

Post » Sun Aug 14, 2016 3:23 pm

Ok..... There is not a problem with c2 or NW.

There are 2 versions of NW available - the one that comes with c2 is the developer (SDK) version. That version permits you to access the developer tools because - it's for developers. If you right click on the NORMAL version of NW then you cannot inspect / open the dev tools becasue they are not included in the build - they are not there to open.
A big fan of JavaScript.
B
74
S
20
G
69
Posts: 2,214
Reputation: 43,850

Post » Sun Aug 14, 2016 3:43 pm

Colludium wrote:Ok..... There is not a problem with c2 or NW.

There are 2 versions of NW available - the one that comes with c2 is the developer (SDK) version. That version permits you to access the developer tools because - it's for developers. If you right click on the NORMAL version of NW then you cannot inspect / open the dev tools becasue they are not included in the build - they are not there to open.

I get it but why does C2 export the projects with the SDK version then?
It makes no sense for me because I have no background information about all the processes.

So I guess this could be turned into a must-have suggestion for exporting NW.js projects using the non-SDK version?
Either way, the current situation is not acceptable for me and should be investigated by Ashley.
ImageImageImage
B
61
S
22
G
78
Posts: 646
Reputation: 44,755

Post » Mon Aug 15, 2016 10:33 am

Closing as this is not really a vulnerability, it's no more a problem than the fact you can open Chrome dev tools on any page. It's there by design to help you diagnose any issues with your game, and includes the usual profiler, timeline etc. Even if you removed it, there are still easy ways to "hack" a game, it's not really relevant to that.
Scirra Founder
B
395
S
232
G
88
Posts: 24,371
Reputation: 193,782

Post » Mon Aug 15, 2016 11:28 am

Ashley wrote:Closing as this is not really a vulnerability, it's no more a problem than the fact you can open Chrome dev tools on any page. It's there by design to help you diagnose any issues with your game, and includes the usual profiler, timeline etc. Even if you removed it, there are still easy ways to "hack" a game, it's not really relevant to that.

Not really helpful but acceptable response.

A well known community member going by the name of Madspy found a real solution for the problem, by simply adding "--disable-devtools" to a json file.
I don't want to be rude but that's the kind of support that I would like to see.
ImageImageImage
B
61
S
22
G
78
Posts: 646
Reputation: 44,755

Post » Mon Aug 15, 2016 1:41 pm

@TheRealDannyyy There's no need to worry about devtools. if you want to start worrying about people messing up with your game then open your "package.nw" with winrar (for Total Commander users just press enter on it or double click left mouse button) . NW.js does absolutely nothing to make your game and game assets secure. Everyone can in literally 2 seconds steal all your graphics, sounds, music, code etc. :)
ImageImageImageImage
B
157
S
66
G
41
Posts: 2,599
Reputation: 34,825

Post » Mon Aug 15, 2016 1:44 pm

shinkan wrote:@TheRealDannyyy There's no need to worry about devtools. if you want to start worrying about people messing up with your game then open your "package.nw" with winrar (for Total Commander users just press enter on it or double click left mouse button) . NW.js does absolutely nothing to make your game and game assets secure. Everyone can in literally 2 seconds steal all your graphics, sounds, music, code etc. :)

That is EXACTLY what we were talking about with Madspy yesterday, my assets are open for grabs basically. :shock:
To be honest, I stopped caring about that for now as it seems like nothing will or can be done about that.
ImageImageImage
B
61
S
22
G
78
Posts: 646
Reputation: 44,755

Post » Mon Aug 15, 2016 1:56 pm

It's the same for html5 web exports, they just have to know where to look.
In fact all someone needs to show your game somewhere else is to know where the index file is.
Its up to the host to block that kind of thing, which of course may also limit the games functionality.
Its up to you to sitelock your games, and of course they don't provide that information readily.
Not sure htf you're supposed to do that with nwjs.
Image ImageImage
B
169
S
50
G
170
Posts: 8,291
Reputation: 108,726

Next

Return to Closed bugs

Who is online

Users browsing this forum: No registered users and 6 guests