Cheating through the javascript console #90
Description
The answers to questions can be accessed through the javascript console, for example
$o.answer
Will show the answer in the console.
Users are able to take advantage of this by buzzing immediately or after 1-2 words have been read. They can also circumvent the ban hammer by stealing 4-5 questions, waiting for a while, and repeating. Furthermore, even if they are successfully banned, they can simply get back in using a VPN or something and continue disrupting the experience for others.
Today was the second time I have encountered such a kind of cheater, so I was curious to see how they did it. I found the above trick almost immediately, and I wouldn't be surprised if there were other ways to exploit the console.
Some suggestions:
- Allow buzzing in immediately before even a word of the question is read and answering correctly to be a bannable offense.
- Don't store the answer in a string that is attached to some global object, or at least somehow obfuscate the string so that its not immediately obvious what the answer is. I bet that making it even slightly more inconvenient to find the answer would dissuade 99% of console cheaters. It definitely doesn't have to be any kind of super secure complicated encryption or anything.
Are you open to pull requests? I'd be interested in trying to contribute. Otherwise, I just wanted to make you aware of this small little exploit so you can resolve it on your own time if you wish.
Also, I just wanted to say thank you for your work. Protobowl is super fun and a nice tool for reviewing and staying sharp on things. I highly appreciate it!