is it safe to display PlayerUID to everyone?

[mudzereli]

Hi all,

 

I am working on a small stats project for DayZ Epoch and was wondering if it's generally considered safe to show the UID of every player?

 

I don't think there is any harm in displaying this but some people may disagree.

 

I suppose someone could use it to look up another player and ban them from another server etc.

 

Here is an example of the site -- http://stats.mudzereli.com/#/players

 

 

[icomrade]

Be sure you require secure ID verification! Otherwise the UID of players can be spoofed.

requiredSecureId = 2;

 

I'd say it's not necessary for a client to know everyone's UID for their stats.

[mudzereli]

Useless but can't really be dangerous..

 

Thank you for confirming that it can't really be dangerous. I didn't think it could be but wanted to make sure.

 

I disagree that it's useless because if you have a donation system/etc set up on your site where the player needs to lookup/enter their PlayerUID, then they could easily do that.

[mudzereli]

Be sure you require secure ID verification! Otherwise the UID of players can be spoofed.

requiredSecureId = 2;

 

I'd say it's not necessary for a client to know everyone's UID for their stats.

 

Thanks for the info.

 

You are right about the second part.

 

I think I will just leave it on the tooltip and take it off everywhere else.

 

That way it isn't displayed everywhere but since it appears to be harmless to show, it can be seen if needed.

 

My main concern is just making sure I keep things secure for the players

[TheVampire]

I would still not show it as it is still unique to your client.

If someone knew what it was, they could ban you from their server in the code side of things.

Unlike the GUID batteleye accesses, they cannot steal your "account" though.

[icomrade]

I would still not show it as it is still unique to your client.

If someone knew what it was, they could ban you from their server in the code side of things.

Unlike the GUID batteleye accesses, they cannot steal your "account" though.

UID spoofing is very real (I've seen it myself). Hence why it is extremely important to use the above server config option.

 

A GUID is much different than your UID. A UID may very well be unique (each key has it's tied UID) but in no way is a UID Generated from a key so it cannot be reversed to the tied key. A GUID on the other hand is generated by the BE Server from a hash of your key, as far as I know there is no known way to reliably reverse this unless you brute force the GUID. Any server admin should be aware of BE chat command that any client can use to return a player list complete with GUIDs (this is how I ID name changers in my server as a client).

 

Beginning with the steam MP lobby betas (124879) your game will need to be launched through steam and you must actually own the key you play on.

[Sven2157]

Thank you for confirming that it can't really be dangerous. I didn't think it could be but wanted to make sure.

That's sarcasm, right?

[mudzereli]

icomrade,

 

Thanks for the info, that's pretty much exactly what I was looking for. I was a bit concerned about this but I didn't think they would possibly store a hash of the key on the database of every server you play on.

 

That's sarcasm, right?

 

No. Why would I be sarcastic?

 

I am making a stats page (link above) and I wanted to see if displaying this information from the database could pose some sort of security risk.

[hambeast]

I would still not show it as it is still unique to your client.

If someone knew what it was, they could ban you from their server in the code side of things.

Unlike the GUID batteleye accesses, they cannot steal your "account" though.

are you still stuck on thinking guids are cd keys?

 

seriously guids != cd keys!  you can't steal someone's account because you know their guid.  Guids are a datatype that are computed with md5 or some other form of encryption.  If you don't believe me, look here at msdn: http://msdn.microsoft.com/en-us/library/system.guid.aspx

 

Guids are typicially used to uniquely identify a specific record/object/whatever and can (but don't have to) represent data.

 

 

In response to the OP, why would you display this information anyways?  regardless if it is harmful to do so, you are just taking additional cpu cycles from the server to display it.  There is no legitimate reason that I can think of to display this information to the public.  I know you're excited to develop a new web app which is great but before you get started, think about each piece of information you want to present and ask yourself why you want to store/retrieve/display this information. You will write better, tighter code this way.

[mudzereli]

are you still stuck on thinking guids are cd keys?

 

seriously guids != cd keys!  you can't steal someone's account because you know their guid.  Guids are a datatype that are computed with md5 or some other form of encryption.  If you don't believe me, look here at msdn: http://msdn.microsoft.com/en-us/library/system.guid.aspx

 

Guids are typicially used to uniquely identify a specific record/object/whatever and can (but don't have to) represent data.

 

 

In response to the OP, why would you display this information anyways?  regardless if it is harmful to do so, you are just taking additional cpu cycles from the server to display it.  There is no legitimate reason that I can think of to display this information to the public.  I know you're excited to develop a new web app which is great but before you get started, think about each piece of information you want to present and ask yourself why you want to store/retrieve/display this information. You will write better, tighter code this way.

 

If you look at the website, you will see that is displayed in a very small section (one single tooltip)

 

the usefulness of it is this:

 

1) a server owner could quickly look up a players UID if he needs to assign a donator package in a script or something,

2) a player could easily look up their own UID if they need to donate for a package etc and provide this information to the owner.

 

again, the question was merely "is it safe to display this data?", not "should I build a web app driven around playerUIDs"

[hambeast]

IDK... Playeruid is easily accessible to admins through the database/logs/in game scripting and easily accessible to players through the profiles section of the main menu.

 

If you are only displaying the playeruid to the actual player logged into your stats page that is one thing but why display it to everyone?  What use does another player have for another's ID besides trying to spoof them through a donor system / non secure server.

[mudzereli]

I do understand where you are coming from and will probably take it out.

 

While not really harmful, it's more of a privacy issue than anything although it does carry the potential for abuse (however small).

 

While I do know that players can easily view their own playerUID on the client, explaining this can be a little more difficult.

 

Adding authentication strictly to show a player their own ID is a lot of work for little return.

 

I will most likely just add an admin section where an admin can look it up and perform other things like gear rollbacks and other functions.

 

Thanks for the input on this. :)

[TheVampire]

are you still stuck on thinking guids are cd keys?

 

seriously guids != cd keys!  you can't steal someone's account because you know their guid.  Guids are a datatype that are computed with md5 or some other form of encryption.  If you don't believe me, look here at msdn: http://msdn.microsoft.com/en-us/library/system.guid.aspx

 

Guids are typicially used to uniquely identify a specific record/object/whatever and can (but don't have to) represent data.

 

 

In response to the OP, why would you display this information anyways?  regardless if it is harmful to do so, you are just taking additional cpu cycles from the server to display it.  There is no legitimate reason that I can think of to display this information to the public.  I know you're excited to develop a new web app which is great but before you get started, think about each piece of information you want to present and ask yourself why you want to store/retrieve/display this information. You will write better, tighter code this way.

 

The CD Key you get from the game is not the exact same as the GUID that you can get from BEC, yet you can switch out your GUID in the registry with the GUID of another player, which lets you play under their CDKey, which means they are essentially the same for all intents and purposes as far as use goes, unless claiming someone else's CD Key on your steam makes a big difference. If the update icomrade is talking about is true, then the GUID will be less important when that update is released. I understand that a GUID is just a one way hash of the CD Key.

 

@icomrade

I was not aware you could spoof a PlayerID.

[PetuniaEpoch]

Why not make it have a login, and then only show the PlayerUID if the user is logged in, and only show theirs (like a profile bad with a hidden field).

 

Thank you for confirming that it can't really be dangerous. I didn't think it could be but wanted to make sure.

 

I disagree that it's useless because if you have a donation system/etc set up on your site where the player needs to lookup/enter their PlayerUID, then they could easily do that.