Flash games hack, score is 49700?? How to improve flash games security?

Question

I have 2 flash games (written in as3). Both the highscore value being hacked. The normal range of each game score is not more than 5000 (normal users, will only get 2000 - 3000

Answer 1

The cryptographic system you are using is very similar to an HMAC, but yours implementation is less secure. The md5 algorithm is a broken, however your MAC is immune to the prefixing attack to generate hash collisions because the beginning of the your secret. The attacker must be able to control the beggaring of the string in order to create a hash collision.

TamperData is a very useful hacking tool to Modify/Capture/Replay traffic that comes from the browser. So you should prevent against replay attacks by authenticating the current date and time: hmac(secret,date_time.score.username).

The hackers are probably using a SWF Decompiler to find the value of your secret in the SWF file. In order to counter this you should try and bury the secret using a SWF obfuscation such as http://www.amayeta.com/.

None of this is a "silver bullet", this just makes it more difficult for the hacker. A hacker will always be able to modify his or her score because you are trusting the client to tell you the correct score. Even if you made the recommended changes you would still be in violation of CWE-602.