So I got someone trying to crack my plugin by just inspecting the fetch object: which is for me very clever the way it was done, It thought me something new, so what would you suggest for more protection? I know this is a game between crackers and us and is exciting to learn new ways of security:
This is the code that the hacker tried, and is so funny he didn’t even removed the emojis from ChatGPT…
// --- START OF SAFE INSPECTOR v2 ---
try {
// Save the original fetch function as soon as it becomes available
const originalFetch = fetch;
// Replace it with our own version
fetch = function(url, options) {
console.log('\n=====================================');
console.log('🚀 UXP request intercepted!');
console.log(`URL: ${url}`);
console.log(`Options: ${JSON.stringify(options, null, 2)}`);
if (options && options.body) {
try {
// Attempt to decode the request body for easier reading
const decodedBody = JSON.parse(options.body);
console.log(`Body (decoded): ${JSON.stringify(decodedBody, null, 2)}`);
} catch (e) {
console.log(`Body (not JSON): ${options.body}`);
}
}
console.log('=====================================\n');
// IMPORTANT: Call the original fetch function so the plugin continues to work normally
return originalFetch(url, options);
};
console.log("--- SAFE INSPECTOR ACTIVATED ---");
} catch (e) {
console.error("Error while activating inspector:", e);
}
// --- END OF INSPECTOR ---
// ... your original code from index.js continues below ...
The fact that someone bypasses our security is an opportunity to learn new layers of security.
Don’t just relly on ChatGPT giving you ways to protect your code, try different things to make it more difficult to crack.
Funny, I mean they could just look at the network tab too, this is overkill. But yes any JS based plugins aren’t too secure by nature unfortunately unless you pass sensitive info to the C++ Hybrid side that’s harder to reverse.
Not sure what data they were trying to extract or how you got access to their vibe-hacking code snippet, but keeping sensitive info server side as always will be your best bet.
JavaScript is never going to be very secure, so best to place sensitive portions of your app in C++ which gets compiled to binary or on a server out of the user’s reach.
If someone would really care about security and pay me extra for that effort. I would move authentification to C++, there are crypto libraries and also libraries to make requests. Also make sure messages are encrypted and replay attach won’t work… that same message cannot be used twice. But then you would also want C++ plugin be more integral… not only entry gateway and once you pass you get it all.
There are more fun things you can do. Like use C++ to check for plugin integrity, or where it is installed (hackers use different location), you can remove or change plugin if you think it was tampered. You could also check for active processes/ports or debuggin protocol running in OS and if you detect active debugger than change the way how authentification works… like make it never authenticate or skip 1 or 3 security layers… so pirates would always need to run debugger to start you plugin. Or better delay 2-3 security layer by 1-2 hours …so if someone is hacking your plugin using debugger it would seem to work for 1-2 hours and after that it would trigger check and disable plugin. That could turn debugging into awfull experience.
What I noticed was the hacker my client encoutered bought it for full price (it wasn’t cheap) so he first had legit plugin with legit license and tried to find out how it works. And later tried to sell plugin for fraction of price to recuperate expenses. But even you can connect that person to credit card via telemetry… that card could have been stolen too.
But there is limit how high the bar can be. If hacking is harder than creating new plugin from scratch and demand is high, maybe they will just make their own plugin. This approach can be more viable as AI gets better and better. Not sure what it would learn from, as the documentation and API are often incomplete and there are not many examples, but it could happen.
…so if someone is hacking your plugin using debugger it would seem to work for 1-2 hours and after that it would trigger check and disable plugin. That could turn debugging into awfull experience.