Vulnerabilities in Chess.com could Expose users to Potential Cheating
Check Point Research (CPR) identified security vulnerabilities in the Chess.com platform. Left unpatched, an attacker can use the security flaws to cheat in chess games and solve games without playing. CPR outlines the exploitation methodology and publishes a technical analysis of the vulnerabilities.
Chess.com boasts over 100M players worldwide
Prizes can reach up to $1M
CPR reports findings to Chess.com, who subsequently issued a security patch
Check Point Research (CPR) identified multiple vulnerabilities in the chess.com platform. Left unpatched, an attacker can use the security flaws to cheat in chess games and solve puzzles, without even playing.
Exploitation of the vulnerabilities is triggered by manipulating both the Chess Game API and Puzzle-solving API of the Chess.com platform. CPR was able to decrease an opponent’s time and win games, as well as extract successful chess moves to solve online puzzle ratings.
Chess.com boasts over 100M players worldwide, and prizes can reach up to $1M.
Attack Methodology
CPR outlined the attack methodology as follows:
The attacker starts a chess game with somebody he added to his friend list before or during the game
By adding a player to the friend list, the attacker opens the adjustclock API request which allows him to give the opponent extra 15 seconds
Attacker manipulates the adjustclock API to ZERO the opponent’s clock and wins the game without the opponent’s notice
Responsible Disclosure:
CPR responsibly disclosed its findings to Chess.com, who subsequently issued a patch.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Research says,“We have found multiple vulnerabilities in the Chess.com platform that allows an attacker to cheat in chess games and solve puzzles without even playing. There are more than 100 million players at Chess.com, so winning a game by cheating can decrease overall scores while increasing the scores of the attackers. Potentially attackers could have exploited the vulnerabilities to grab the prizes."
INTERVIEWS
TOP VIDEOS
SECURITY
SOFTWARE
NVIDIA announces Advanced Autonomy to Mobile Robots with Isaac AMR
NVIDIA has announced to launch a new platform to enable the next generation of autonomous...
Alteryx brings Unified Platform Experience to boost Analytics Automation
Alteryx has announced expanded cloud-connected platform experiences for its flagship...
Roposo brings in Shipstreak, end-to-end order management tool
Roposo has launched Shipstreak, a comprehensive order management solution design...
START - UP
PERIPHERALS
INDUSTRY EVENTS
Genesys creating an exceptional Customer Experience leveraging the skillful orchestration of Employee Experience
To recognise its strategic partners advancing the industry, Genesys, organised the APAC Pa...
TDC Captures the Beauty of our Natural World at Vivid Sydney 2023
Sydney, Australia, May 2023 – It would be easy for a company like TDC – T...
MediaTek organizes its 12th Chapter of Technology Diaries
MediaTek has hosted its 12th Chapter of Technology Diaries themed ‘The Vision to Go...
Startup Odisha to feature on CII’s Corporate-Startup Connect Platform CII ICONN
In an effort to provide startups in Odisha with a strong corporate connection, Startup Odi...
E- COMMERCE
