Locking Down EchoForge: Our March Security Sprint
There’s a common assumption that indie studios don’t need to worry about security. The thinking goes: you’re small, you’re not a target, and your time is better spent building features. I used to believe that too. But EchoForge has grown — we have real players with real accounts, real game progress, and real trust in us to protect their data. In mid-March, I decided it was time to put that trust to the test.
Over two and a half weeks, I ran a full security audit across EchoForge Accounts, hardened EchoQuest’s game server, and migrated our entire authentication stack to an open-source OIDC provider called Logto. This post covers what I found, what I fixed, and why I think small studios should take security more seriously than most do.
The Accounts Pentest: 15 Vulnerabilities in Three Days
EchoForge Accounts is the central service that handles authentication for all our games — EchoQuest, One More Night, TileForge, and the Arcade. It manages login, registration, two-factor authentication, and game keys. If something is wrong here, it affects everything.
I went through every endpoint, every token flow, every edge case I could think of. Found 15 vulnerabilities. Filed them as GitHub issues #25 through #39. Fixed all of them.
The worst one was a 2FA bypass through refresh tokens. In plain terms: if you had 2FA on your account, someone with your refresh token could get a new access token without the second factor. The whole point of 2FA is that one credential isn’t enough. This bypass killed that guarantee. Fixed it so token refreshes on 2FA accounts always validate the second factor first.
The rest ranged from moderate to low. Missing rate limits on sensitive endpoints. Error messages that leaked whether an account exists. Session handling edge cases. None as bad as the 2FA thing, but each one was a gap between how secure the system should be and how secure it was.
While I was in there, I also redesigned the portal with a tabbed layout, added proper branding, integrated TileForge game key management, and built a player dashboard. Not security work, but it came naturally from being in that codebase.
Hardening EchoQuest
EchoQuest needed its own pass. The game has a full economy — crafting, trading, gambling — plus an admin panel. Each of those is an attack surface.
The big one was a gambling exploit. I won’t detail how it worked, but a player could manipulate outcomes by exploiting a timing issue in server-side bet validation. Not theoretical — someone would have found this and used it to print gold.
Pushed three point releases back to back. 0.27.2: 47 bug fixes across combat, UI, crafting, admin, and security. 0.27.3: map fixes, admin improvements, Steam linking, save slots. 0.27.4: account security, Steam Web API, social platform connections.
Added CSP headers to lock down which scripts can run. Blocked source maps in production. Hardened admin cache to prevent stale auth states. Save files now carry HMAC signatures, so client-side tampering gets caught.
Added anti-piracy measures and server obfuscation for the Steam build. Not bulletproof — nothing is — but it raises the bar. Also built out frontend and multiplayer E2E tests, because security fixes that break the game aren’t fixes.
The Logto Migration: Fixing Auth at the Root
Patching bugs is fine, but I kept asking: why were these possible? Because I built auth from scratch. It worked, but keeping a custom auth system secure is a full-time job. Every new game meant more token logic, more session handling, more places to screw up.
End of March, I moved everything to Logto, an open-source OpenID Connect provider. EchoQuest, EchoForge Accounts, OMN Arcade, TileForge — all of it.
For players, nothing looks different. You still log in the same way. But auth is now handled by a team whose whole job is identity management. Token flows follow OAuth 2.0 and OIDC standards instead of my custom stuff. If a vulnerability shows up, the Logto team patches it for everyone, not just us.
One nice side effect: the portal’s Play button now auto-logs you into games. Before, you’d sometimes have to log in again when launching a game. Now a single-use code gets exchanged behind the scenes. One login, all games.
Admin portal moved to Logto too. Same hardened auth as everything else. No more separate admin login code to worry about.
Why This Matters
I’ll be straight: the 2FA bypass was bad. If someone found it and had a user’s refresh token, they could have gotten into accounts that were supposed to be protected. I don’t think it was ever exploited, but “I don’t think so” isn’t “definitely not.” I take that seriously.
Security isn’t a checkbox. For a small studio, it means being honest about what you can maintain and what you should hand off. Moving to Logto was me admitting that my custom auth was a liability.
If you have an EchoForge account: your data is safer now than it was three weeks ago. If you’re a fellow indie dev: run the audit. You’ll find things. Fix them before someone else does.
— Bruno