Vulnerabilities in Chess.com could Expose users to Potential Cheating
Check Point Research (CPR) identified security vulnerabilities in the Chess.com platform. Left unpatched, an attacker can use the security flaws to cheat in chess games and solve games without playing. CPR outlines the exploitation methodology and publishes a technical analysis of the vulnerabilities.
Chess.com boasts over 100M players worldwide
Prizes can reach up to $1M
CPR reports findings to Chess.com, who subsequently issued a security patch
Check Point Research (CPR) identified multiple vulnerabilities in the chess.com platform. Left unpatched, an attacker can use the security flaws to cheat in chess games and solve puzzles, without even playing.
Exploitation of the vulnerabilities is triggered by manipulating both the Chess Game API and Puzzle-solving API of the Chess.com platform. CPR was able to decrease an opponent’s time and win games, as well as extract successful chess moves to solve online puzzle ratings.
Chess.com boasts over 100M players worldwide, and prizes can reach up to $1M.
CPR outlined the attack methodology as follows:
The attacker starts a chess game with somebody he added to his friend list before or during the game
By adding a player to the friend list, the attacker opens the adjustclock API request which allows him to give the opponent extra 15 seconds
Attacker manipulates the adjustclock API to ZERO the opponent’s clock and wins the game without the opponent’s notice
CPR responsibly disclosed its findings to Chess.com, who subsequently issued a patch.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Research says,“We have found multiple vulnerabilities in the Chess.com platform that allows an attacker to cheat in chess games and solve puzzles without even playing. There are more than 100 million players at Chess.com, so winning a game by cheating can decrease overall scores while increasing the scores of the attackers. Potentially attackers could have exploited the vulnerabilities to grab the prizes."
Blackstone portfolio company R Systems takes over Velotio
R Systems announced that it has signed definitive agreements to acquire Velotio, an India-...
NEC India, GLA University and Edulateral Foundation collaborate to enable learning for students in AI and Analytics
NEC Corporation India (NEC India), a wholly owned subsidiary of NEC Corporation, GLA Unive...
Tech Mahindra to help Bank of Baroda to enhance Customer Experience
Tech Mahindra announced its partnership with Bank of Baroda, to deploy digital solutions t...
Kingston showcases New Non-Binary DDR5 Memory and XS1000 External SSD in COMPUTEX 2023
Kingston Technology has announced it will make a grand return to COMPUTEX Taipei event aft...
Genesys creating an exceptional Customer Experience leveraging the skillful orchestration of Employee Experience
To recognise its strategic partners advancing the industry, Genesys, organised the APAC Pa...
TDC Captures the Beauty of our Natural World at Vivid Sydney 2023
Sydney, Australia, May 2023 – It would be easy for a company like TDC – T...
MediaTek organizes its 12th Chapter of Technology Diaries
MediaTek has hosted its 12th Chapter of Technology Diaries themed ‘The Vision to Go...