Press Release

Vulnerabilities in Chess.com could Expose users to Potential Cheating

Check Point Research (CPR) identified security vulnerabilities in the Chess.com platform. Left unpatched, an attacker can use the security flaws to cheat in chess games and solve games without playing. CPR outlines the exploitation methodology and publishes a technical analysis of the vulnerabilities. 

  • Chess.com boasts over 100M players worldwide
  • Prizes can reach up to $1M
  • CPR reports findings to Chess.com, who subsequently issued a security patch

Check Point Research (CPR) identified multiple vulnerabilities in the chess.com platform. Left unpatched, an attacker can use the security flaws to cheat in chess games and solve puzzles, without even playing.

Exploitation of the vulnerabilities is triggered by manipulating both the Chess Game API and Puzzle-solving API of the Chess.com platform. CPR was able to decrease an opponent’s time and win games, as well as extract successful chess moves to solve online puzzle ratings.

Chess.com boasts over 100M players worldwide, and prizes can reach up to $1M.

Attack Methodology

CPR outlined the attack methodology as follows:

  1. The attacker starts a chess game with somebody he added to his friend list before or during the game
  2. By adding a player to the friend list, the attacker opens the adjustclock API request which allows him to give the opponent extra 15 seconds
  3. Attacker manipulates the adjustclock API to ZERO the opponent’s clock and wins the game without the opponent’s notice

Responsible Disclosure: 

CPR responsibly disclosed its findings to Chess.com, who subsequently issued a patch.

Quote: Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Research: 

“We have found multiple vulnerabilities in the Chess.com platform that allows an attacker to cheat in chess games and solve puzzles without even playing. There are more than 100 million players at Chess.com, so winning a game by cheating can decrease overall scores while increasing the scores of the attackers. Potentially attackers could have exploited the vulnerabilities to grab the prizes.”

About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. (https://www.checkpoint.com/) is a leading provider of cyber security solutions to corporate enterprises and governments globally.  Check Point Infinity´s portfolio of solutions protects enterprises and public organisations from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and other threats. Infinity comprises three core pillars delivering uncompromised security and generation V threat prevention across enterprise environments: Check Point Harmony, for remote users; Check Point CloudGuard, to automatically secure clouds; and Check Point Quantum, to protect network perimeters and datacenters, all controlled by the industry’s most comprehensive, intuitive unified security management; Check Point Horizon, a prevention-first security operations suite. Check Point protects over 100,000 organizations of all sizes.

 

Leave a Response