Check Point Research (CPR) has identified security vulnerabilities in Chess.com, the gaming platform for online chess, that boasts over 100 million players and hosts events where prizes can reach up to US$1 million. If left unpatched, an attacker can use the flaw to cheat by decreasing an opponent's time, for example, or extract successful chess moves to solve online puzzles.
The exploitation of the vulnerabilities is triggered by manipulating both the Chess game API and the puzzle-solving API of the Chess.com platform.
CPR decided to try to check if it is possible to cheat in the games by abusing a security vulnerability.
“We discovered that it is possible to win by decreasing the opponent's time and winning the game over time, without the opponent noticing what happened. In addition, it is possible to extract successful chess moves to solve online puzzle challenges and win puzzle ratings. In this method, we simply need to catch the communication between the client side (player) and the server (Chess.com website). The server accidentally sends the correct solution to the puzzle! We can then abuse and cheat on puzzle championships (in which the winner gets prize money) by simply submitting the correct moves we found. Moreover, it is possible to modify the elapsed time to think about the solution," note the researchers at CPR.
CPR responsibly disclosed its findings to Chess.com, who subsequently issued a patch.
CPR also outlined the attack methodology, as detailed below.
The attacker starts a chess game with somebody he added to his friend list before or during the game. By adding a player to the friend list, the attacker opens the adjust-clock API request, which allows him to give the opponent extra 15 seconds. Then, the attacker manipulates the adjust-clock API to zero the opponent’s clock and wins the game without the opponent’s notice.
Notably, Chess.com is the world leading platform for online chess games. It is an internet chess server, news website, and social networking website. Chess.com has a strong focus on community-based forums and blogs. These social features allow players to connect, become friends, share their thoughts and experiences, and learn from each other. There are 2.5 million active members daily. One of the most prominent chess platforms in the world, Chess.com has hosted online tournaments such as the Chess.com Global Championship.
In recent years, Chess.com has invested substantially in detecting cheaters using various techniques. Cheating in chess is a deliberate violation of the rules of chess or other behaviour intended to give a player or team an unfair advantage. It can occur in many forms and can take place before, during, or after a game.
“We have found multiple vulnerabilities in the Chess.com platform that allows an attacker to cheat in chess games and solve puzzles without even playing. There are more than 100 million players at Chess.com, so winning a game by cheating can decrease overall scores while increasing the scores of the attackers. Potentially attackers could have exploited the vulnerabilities to grab the prizes,” says Oded Vanunu, head of products vulnerabilities research at Check Point Research.