Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
redonihunter18 days ago (1 edit)
Currently, usernames could be acquired by brute-force

Not really. Even if you would manage to scrape all usernames by looking which profiles exist or not, you would not have a connection to which games those users played.

It is not the existence of profiles that is a privacy issue. It is the connection of who plays what (and when). That is information that falls under privacy rules and you need to explicitly allow these things to be shown public. Users need to have control over such things.

So even if developers would use the oauth verification thingy to fetch the usernames from users playing with the Itch app, those devs still would have no right to display those usernames as the content of their games. Be it as a leaderboard or anything else.

English is not my native language either. But if you read closely, leafo did not offer a solution. He talked about a hypothetical future in which such a feature would be implemented. And if they implent such a thing, it would be by "require the user to opt into sharing their information with the game". That opt in would not even be per developer, it would be per game.

That this feature still is not implemented after 5 years tells me, that it is not easy to do and maybe they realized the same as me: this feature alone is not interesting enough to implement it standalone. It would need more features to accompany it.

--

As for the security nightmare, that would be, if the information would be given to the web game just like that. No opt in. Just publich a web game and you can scrape users. Then anyone, even a scammer, could do with those information (who played what and when) whatever he likes. For example trying to see if that account also has a discord by the same name and with the information gained (game preference) to display advertisement, social scam attempts and so on. "I saw you played tank shooter 5000, here try my tank shooter 5500, do not worry that it is a password protected file. I selected you as an exclusive beta tester because you seemed to like my game.". 

Just because you do not immediatly see a way to exploit something does not mean, no one can. And scammers try very hard and every day to abuse Itch's services.

Reply
AboutFAQBlogContact us
Copyright © 2025 itch corp · Directory · Terms · Privacy · Cookies