As far as I can tell, all this does is mitm yourself so the proxy server can change the data being sent to the server, which is like, the most basic of possible ways to cheat a game, and only works on games that fully trust the client and have absolutely no server-side validation. Yikes
Good job, they definitely look shady as hell. Did you consider doing responsible disclosure and doing a write-up after? Aren't you worried about any retaliation? I'm pretty sure this type of company has a decent amount of money to spend on legal cases..
Is competitive gaming winrate much different though? I always thought that in games such as league of legends players tend to have winrate close to 50%, and good players with slightly higher winrate end up in higher ranks by playing many games. Of course winrate is much higher when they are in lower ranks than their skill level, but they'll end up playing most of their games in their corresponding rank anyway in the long term
From a quick review of the games listed on https://games.skillz.com/popular there are a few that are purely luck-based (Blackout Bingo, Bingo Cash), most that have a very small skill or strategy cap before they’re luck-dominated (multiple Solitaires, Match 3 games, Blackjack, Spades, Bubble popping games, Yahtzee), and a few that seem skill-based (Big Buck Hunter marksman game, Pool, Bowling). Note: without investigating those presumed skill-based games looking for ways they introduce unavoidable randomness, I can’t be sure they really are skill-based.
Conclusion is it seems quite plausible Skillz does offer some partly-skill-based competitive games where you can earn cash by beating other players on your own merits. This isn’t incompatible with their business model - casinos profit on poker despite it being possible to win money at poker because you aren’t playing against the house, you’re playing against each other, and the house is just taking a rake (essentially renting out the dealer and table to the players).
On average, yes. However, this is a dishonest comparison imo.
Skill-based matchmaking aims to find a “good” matchup for you by putting you up against an opponent of a similar skill level. Over time you land at 50% due to this, but if you improve you’ll face better opponents and have more complex games.
Skillz is just fake randomness designed to keep you from making money, and you have no control over this.
I guess the birds eye view appears the same, but it’s not really the same concept.
I have read all ~250 words of the article. It makes about as many assertions as are possible in that word count, but does not present any evidence.
> Analysis of player win/loss ratios clearly shows that all players win roughly 50% of games, regardless of their "skill".
What analysis? What is the methodology? Where are the results?
> That's not an eSport. That's a slot machine.
This is obviously not true, since there's an obvious alternative explanation for ~50% win rates. So the experiment you claim is documented somewhere on this page should obviously be designed in a way that distinguish between dishonest manipulation of the game RNG vs. totally legit skill-based matchmaking.
> You can never win more money than you've paid. If you somehow do, Skillz will suspend your account when you attempt to withdraw.
Ok, that's bad if true. How can we as readers judge if it's true? Not by the evidence presented on this page, because there is literally none.
You've told me to read the article. So where is the proof that the site is a scam? Not just an assertion that an experiment with undocumented methodology was done and produced topline results that can be explained in other ways?
Depends on the game and the distribution. Skill games tend to have major outliers at the tails; sometimes modern matchmaking (DOTA2,others) uses group rating to balance, or sometimes (magic:the gathering) your best players maintain >65% against the rest of the field.
> Analysis of player win/loss ratios clearly shows that all players win roughly 50% of games, regardless of their "skill". That's not an eSport. That's a slot machine.
> The average win rate for a brand new player is 56%. The average win rate for the best players is 53%.
Uh, that also could mean really fantastic player matching. A good match would be one in which it's unclear who would win. If the skew is too great then new players get discouraged (lose all the time) and/or skilled players get bored (they win 99% of the time) .
My anecdotal experience with competitive games has been that the top ~15% of players generally have a winrate >50%, with the top 1-5% usually clearing 55%, especially where some skill-indicative metric is used to do matchmaking.
The fact that winrate is 50% across the board implies that they are somehow fixing matches, or (as the author states) simply banning their most skilled players.
As usual, a simple MitM can accomplish more than you'd expect. Together with a simple Frida script, you can easily intercept traffic for apps with certificate pinning as well; there's no quick fix for a vulnerability like this.
You can't trust data from computers you don't own. Looking at the source code snippet posted, this library simply sends a "score" variable over a POST request and the server just seems to accept it as the real score; that's fine for keeping user-specific high scores, but as soon as you use that data together with any other account, you're going to have a bad time.
This reminds me of the Hive Social security vulnerability (forgetting to implement ACLs on any of their endpoints and doing all the security checks client side).
Yea I was pretty blown away by their security model. Considering they are dealing with cash games worth hundreds of dollars to the users, it’s negligent.
Skillz is a company that provides real-money components (gambling, iirc) for mobile games. If you have a mobile game, it's a platform you can tack on to allow your players to compete against eachother for cash (and so monetize your game).
Is this really that hard to comprehend? It's a slight twist on a ticket based arcade game or a slot machine. It's pretty common knowledge that they are a waste of money.
The concept of having a slot machine in my pocket sets off so many mental alarm bells that it’s incomprehensible to me that people would gamble on what looks like Bejeweled.
If it's players competing against each other, then skill-based matchmaking would lead to most players having a roughly 50% win rate naturally. But the win rates are the only real reason the OP gives for this being a scam. So the submission could really do with some extra context.
they claim to have very sophisticated anti-cheat tech that he was able to overcome with a simple MITM attack
This is from their IPO S-1:
"We collect over 300 data points during each gameplay session to feed our big data assets which augment all elements of our platform. Our key data science technologies drive our player rating and matching, anti-cheat and anti-fraud, and user experience personalization engine."
I worked there for about a month before it was named skillz. One thing I didn't expect was how much the psychology of a casual game changes when there's money on the line. Imagine playing 5 minutes of angry birds while waiting for a bus, versus playing the same game for bus fare.
They create and offer games[1] that purport to be a way for users to win real money. This is gambling though the company uses very precise language to try to avoid being classified as a gambling company (since that would make their business super illegal in a bunch of jurisdictions). They are, from reports, extremely scummy[2] and, to be honest, their entire business is exploitative and targets people with addictions.
If this is truly meant as a PoC to raise awareness, shouldn't there be a writeup of how it works and/or source code? I'm not interested in running some random binary that claims to hack a game, but a technical description of the vuln would be interesting.
For once, the evil company is on a path toward bankruptcy. Not because law enforcement or regulators stepped in, though. It's just a cash flow negative company with declining revenue living off money raised in 2021.
Lots of righteous upvoting, no comments (that's what I did too, at first.) Has anyone examined it?
It has the ring of so much malware and exploits masquerading as cheats from my childhood of playing crappy games, and there's little information on the page.
Edit: I watched some of the video, and he wants you to add a new certificate authority... no explanation of how the 'cheating' works.
Edit 2: Looks like I jumped to conclusions too hastily about motives. Still, I found no satisfying explanation anywhere.
The binary is running a proxy (fiddler?) on the windows machine.
The iPhone is on the same network and accepts the proxy's self signed certificate which allows the iPhone to trust the proxy.
You point the iPhone to the proxy.
Start Game - End Game - Zero points.
When the POST or whatever API call is sent to the server the proxy (fiddler) modifies the request to whatever _points_ you specified.
Then you see the updated score on the app.
I'd strongly discourage anyone from actually installing and using it as it's almost certainly illegal to do so (definitely will violate ToS and probably will be actionably illegal but IANAL). Additionally, it very well could contain malware.
To be honest though, shining a light on this terrible company seems to be the main drive of the website and it's a very deserving cause.
You add the new CA so that you can Man-in-the-middle the traffic between your phone and their servers. That lets the app to view it unencrypted, modify as needed, and then send it off to the real server.
Would that actually be better than putting your orders in before the closing and getting out right after opening when the initial reaction will hit all at once? (Vs being delayed / smoothed out over time during the trading hours)
> and he wants you to add a new certificate authority... no explanation of how the 'cheating' works.
I mean it should be pretty obvious why this is being done for this general type of attack - if you have the necessary level of expertise where it is safe to use a tool like this.
