1

I am building a game similar to HQ trivia, that when someone gives all the correct answers at the end of the game he or she gets money sent to their Paypal account, my concern is obviously security.

The game will send an HTTPS request to a backend API which will then make a request to the Paypal API and make a payment of X dollars to the player's Paypal account.

How do I protect the game from someone sending fraudulent manual HTTP requests to the backend API, and consequently sending let's say 1M transactions of $10 to their own Paypal account?

These are some security layers I came up with so far: - CSRF - Human interaction accepting or declining every payment before taking place - Algorithm to filter consequent HTTP request from the same IP or to the same Paypal account

I assume not but, would that be enough?

human
  • 111
  • 1
  • In short: From the question it looks like if the game logic is currently implemented in the client and that the client also decides when a payment will be done. But you don't have full control over the client so you cannot trust the client. The essential logic of the game (answer correct or wrong, how many attempts...) and the rules when payments will be done should all be implemented at the server side and the client should never be trusted. – Steffen Ullrich Oct 06 '18 at 09:14
  • There's a lot to unpack here. What is the game made in? Flash? Android/iPhone native? JavaScript? Desktop native app? If I have an HTTPS interception proxy am I going to see your magic payment request? Seems like you would be better off saving the winners the a DB then having some person review the payments before they get batch processed. You may want to check with PayPal that this is allowed under their ToS. They are quick to lock accounts doing strange stuff. – Daisetsu Oct 06 '18 at 14:56

0 Answers0