MAJOR Client Side Information Leakage


  • Culture

    The websocket for room subscriptions sends far more data than it should. This allows people with custom clients or browser extensions to pull in a lot of data that users may have assumed was invisible to other players.

    * Creep names are visible to players and scripts. If someone sends a creep named "bait" and another named "attacker" it's going to be pretty obvious which one is doing what.

    * Observer targets are also, for some reason, being sent out. This means I can easily see what rooms an observer is looking at, even if it is not my observer.

    I know this has come up before, but I really think that this needs to be fixed since people are using this information for their own advantage. Filtering out the creep name and observer data from the room information should be happening server side, not client side.

     

    PS: If anyone wants to play with this for themselves without having to pull in the websocket this information is also available in room history-

    https://screeps.com/room-history/E9N23/20233700.json

     


  • Dev Team

    This is an old and well known behavior that is already reported several times. We don't consider it major, and there is no plans to fix it anytime soon. In the future, we might allow to see all players creep names using the UI/API, it is not really sensitive info.


  • Culture

    I'd say it's pretty major since it's not documented anywhere and many people put their creep roles in the name. It's also pretty unfair to new players that it's only available to players who know about it (which due to the lack of documentation does not include a lot of people). I think you should either remove it complete (my preference) or put it in the UI so it's available to everyone.