Check Point Research: Vulnerabilities in Chess.com could Expose users to Potential Cheating
March 2023 by Check Point Research (CPR)
Check Point Research (CPR) identified security vulnerabilities in the Chess.com platform. Left unpatched, an attacker can use the security flaws to cheat in chess games and solve games without playing. CPR outlines the exploitation methodology and publishes a technical analysis of the vulnerabilities.
• Chess.com boasts over 100M players worldwide
• Prizes can reach up to $1M
• CPR reports findings to Chess.com, who subsequently issued a security patch
Check Point Research (CPR) identified multiple vulnerabilities in the chess.com platform. Left unpatched, an attacker can use the security flaws to cheat in chess games and solve puzzles, without even playing.
Exploitation of the vulnerabilities is triggered by manipulating both the Chess Game API and Puzzle-solving API of the Chess.com platform. CPR was able to decrease an opponent’s time and win games, as well as extract successful chess moves to solve online puzzle ratings.
Chess.com boasts over 100M players worldwide, and prizes can reach up to $1M.
CPR outlined the attack methodology as follows:
1. The attacker starts a chess game with somebody he added to his friend list before or during the game
2. By adding a player to the friend list, the attacker opens the adjustclock API request which allows him to give the opponent extra 15 seconds
3. Attacker manipulates the adjustclock API to ZERO the opponent’s clock and wins the game without the opponent’s notice
CPR responsibly disclosed its findings to Chess.com, who subsequently issued a patch.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Research:
“We have found multiple vulnerabilities in the Chess.com platform that allows an attacker to cheat in chess games and solve puzzles without even playing. There are more than 100 million players at Chess.com, so winning a game by cheating can decrease overall scores while increasing the scores of the attackers. Potentially attackers could have exploited the vulnerabilities to grab the prizes."