Wednesday, July 6, 2011

Why client-side verification is bad..

Words with bastards

As a programmer, you should really know that you can't trust anything you put in the hands of someone else. If you're writing a web, mobile or desktop application that talks to your server, you can't trust that someone won't subvert the local software. As such, you can't rely on it to do authentication or parameter verification. (As noted in the comments below, it's not a sin to perform checks on the client side -- just don't *trust* that they were performed.)

A common mistake is the web site that relies on javascript to ensure a form is filled in correctly, but which then doesn't re-validate the results on the server, in case the javascript was bypassed. However the problem extends to mobile or desktop applications that communicate with a remote server.

I recently looked into Zynga's "Words with friends" mobile application, and to my surprise discovered that it did client-side verification of the words you are playing.

It wasn't very hard to circumvent this, resulting in a version which accepts moves like the above one..