[HN Gopher] How I hacked chess.com with a rookie exploit
___________________________________________________________________
How I hacked chess.com with a rookie exploit
Author : el_duderino
Score : 134 points
Date : 2024-01-26 17:03 UTC (5 hours ago)
(HTM) web link (skii.dev)
(TXT) w3m dump (skii.dev)
| jjbinx007 wrote:
| Hmm, I don't think this is related but I've personally witnessed
| (and even recorded) other people making MY moves in chess.com
| games and also I've been served up a game in progress and I've
| been able to make moves when I shouldn't have been able to.
|
| There are plenty of threads about this too if you Google it. No
| idea if chess.com have fixed this in the last few months, but
| they didn't want to listen when I tried to report it.
|
| All these games were when I was not logged into the site. It's
| never happened to me whilst logged in, but I don't play chess
| that often as it's no good for my blood pressure!
| Uptrenda wrote:
| I was expecting this to be more nooby based on the title. But
| instead they built an exploit that bypassed multiple input
| validation stages with clever hacks. Even going as far as to
| setup sub-domains to resemble the base domain. I'd not have
| expected this to work and found it neat in itself. But I guess
| seeing how complex domains are to parse with regex makes it easy
| to miss things (or maybe it was just something like a: '... in
| variable' check, idk.)
|
| Author knows their stuff. I admire how much dedication that kind
| of craft takes. Spending so much time to get further along. Would
| make for an interesting career.
| gnrlst wrote:
| Also very young making it even more impressive, considering
| they were born > 2005 according to the author's passing mention
| in the post.
| hot_gril wrote:
| The first exploit was pretty simple at least, and also the
| title is a pun. But then it got pretty complex.
| orenlindsey wrote:
| Very cool. I love seeing bug bounty write-ups, especially XSS.
| They always seem so easy to find (but that's just confirmation
| bias, I don't get to see the hours of testing and rabbit trails
| that go nowhere).
| sureglymop wrote:
| In my experience they are usually found after finding something
| weird by accident. Then the real challenge is to exploit that
| flaw (in this case with the text editor).
| tiffanyh wrote:
| https://lichess.org/
|
| The best I've found.
|
| It's also crowd funded and they talk about their interest tech as
| well.
| j0hnyl wrote:
| I love lichess, their mobile app is such a pleasure to use
| compared to chess.com.
| edgyquant wrote:
| I do use lichess on my iPhone, mostly because the pieces
| don't even show up on chess.com. If I'm at my laptop though
| it's chess.com
| edgyquant wrote:
| I and many others find the UX to be worse, the
| tutorials/lessons definitely way less interactive (usually
| consist of just a text dump) and the sheer number of games
| where the opponent doesn't make a single move to be extremely
| frustrating.
|
| It's also impossible to discuss anything related to chess.com
| on here or Reddit because lichess people tend to downvote and
| brigade anyone who doesn't praise it.
| kthxb wrote:
| UX is probably a matter of habit, I for one find the chesscom
| UI unintuitive and I can never find what I'm looking for, but
| Lichess certainly also has its problems.
|
| The free and (to me) intuitive analysis tools on Lichess are
| the killer feature for me.
| hitekker wrote:
| The people I've met from chess.com were straightforward and
| focused on their craft. The product they work on doesn't seem
| to hurt anyone and I haven't see any exploitation common to
| tech companies. I heard they don't pay Bay Area salaries,
| which is probably makes them more sustainable over the long-
| term.
|
| I wonder if the peaceful co-existence of lichess and
| chess.com co-existing somehow disturbs some esoteric
| ideology.
| TylerLives wrote:
| Iirc, some of the hate comes from the fact they were paying
| popular chess streamers not to play/stream on lichess.
| n_plus_1_acc wrote:
| Since the topic of WebAssembly came up today afain today,
| lichess uses stockfish compiled to wasm delivered to the client
| to reduce server costs.
| nonethewiser wrote:
| > It's also crowd funded and they talk about their interest
| tech as well.
|
| As well as communism.
|
| > Maker of lichess.org, a hippie communist chess server for
| drug fueled atheists.
|
| https://github.com/ornicar
| cristoperb wrote:
| Can't tell if this comment is supposed to be griping from
| dour conservative or praise from a communist lichess fan
| sourcecodeplz wrote:
| I just love LiChess. It is fast and lightweight. People are
| also very nice.
| phyzome wrote:
| What does "OSRF" stand for? Is this like CSRF, but... "Own-Site
| Request Forgery", maybe?
| lkbm wrote:
| Yeah, pretty close: "On-site request forgery"[0]
|
| [0]
| https://github.com/daffainfo/AllAboutBugBounty/blob/master/O...
| cortesoft wrote:
| > This feature reminded me of the MySpace worm in ~2005 (heck, I
| wasn't even alive then!)
|
| Well damn, I get older every day
| dhosek wrote:
| My ex-wife managed the security team at MySpace from about 2006
| to 2008. The really wild part was when she went online to the
| MySpace hacker forums to see how the days' work had gone. The
| insistence on allowing users to put HTML onto the site was a
| huge problem. These days, I think the solution would be to do a
| proper parse of the HTML input and remove forbidden attributes
| and tags, but back then it was handled via insanity with
| regexes.
| paulpauper wrote:
| Ppl were coding up xss back in the day on Myspace to spread
| ringtone offers
| orenlindsey wrote:
| They seriously tried to parse HTML with regex? That's crazy.
| charcircuit wrote:
| They were using regex to block bad input without needing to
| parse HTML.
| scrapcode wrote:
| My first thought was something along the lines of "great to see
| these young kids doing this kind of work." Doing that math hurt
| my soul.
| atdt wrote:
| Could someone explain how re-directing from a subdomain
| (chess.com.foo.bar) somehow got past some same-origin check?
| fnimick wrote:
| It wasn't a proper same-origin check - the server code was
| checking to see if the image was hosted elsewhere, and if so,
| it would download and self-host it. The code to check if it was
| on `chess.com` probably just checked to see if the domain
| included that string, because laziness.
| semitones wrote:
| if it's happening server side they might have had a bug where
| they are doing naive substring comparison instead of actual
| domain evaluation
| DistractionRect wrote:
| Clearly chess.com was using something like "starts with" to
| process the re-upload. Basically don't re-upload if it starts
| with https://chess.com, but filter out if it starts with
| https://chess.com/registration-invite
|
| Typically same origin policies are relaxed for things like
| images by default [0]. So they came up with a trampoline, they
| created a chess.com.theirDomain.tld to get past the re-upload
| filter, which in turn returned a redirect, which the browser
| followed.
|
| [0] https://developer.mozilla.org/en-
| US/docs/Web/Security/Same-o...
| betenoire wrote:
| it sounded server side code allow-list the source, so it was
| probably just doing a string prefix check. the code to make the
| friend relation doesn't happen in the browser
| bbno4 wrote:
| Wow! This is so cool, love the pun in the title hehe
| JakeSkii wrote:
| Hi, OP here! Thank you all so much for the positive commments. To
| give some background: I'm a 17 year old student in the UK doing
| my A-Levels, still deciding what uni to go to and looking for
| degree apprenticeship options! You can checkout my github profile
| here -> https://github.com/Jayy001 (I'm one of the core members
| behind HashPals, creating Search-That-Hash as well as being a
| maintainer for the open-source repository of free software for
| the ReMarkable tablet)
| tehlike wrote:
| I am going to try referring you for Meta. Can you send me your
| resume/email/etc to tehlike gmail com?
___________________________________________________________________
(page generated 2024-01-26 23:00 UTC)