An IT security researcher identified a critical set of vulnerabilities in the chess.com API, a popular online chess play site and app. The vulnerability could have been exploited in order to access any account on the site. It could also be used to have full access to the site through its admin panel.
Chess.com is an online chess server, internet forum and platform for social networking. With hundreds of thousands of players playing at any given time, it is a massive forum for chess players. Tens of millions of games a day are hosted on the website. This shows that the site has a large number of users, and for chess enthusiasts, it is a very important place.
How was the Vulnerability discovered?
Cybersecurity researcher Sam Curry spent a lot of time finding vulnerabilities at Chess.com. The researcher started to find generic vulnerabilities and stumbled across a reflected XSS that could be used to drop backdoor to gain access to the victim’s account.
An attacker could also extract the “Connect to Google” URL and authenticate it with their own account and use the XSS hook and HTTP request that could link the victim’s chess.com account to the attacker’s account.
The vulnerability of Account Takeover
As explained by the researcher, “Account Takeover Vulnerability” was found when the subdomain for the API was found; “api.chess.com.” The researcher has intercepted HTTP traffic and noticed API requests coming from this domain while using the app.
The app requests to the API were signed and could not easily be abused, however when a username was checked by the researcher for the purpose of sending a message. A request to fetch the user’s details was sent. The user’s email address was included in that detail. This makes it a medium-range weakness.
The real vulnerability, however, was the returned “session-id” as this was specific to each user and the session on the device of the researcher. It was the token of authorization that could allow the researcher to hijack any session.
The researcher wrote in a blog post that he hijacked the account of one of the Chess.com administrators, Daniel Rensch, and was able to access the administrative dashboard for further evidence. The entire site was at their disposal at this stage. This will allow the researcher to take complete control of any site account.
Fortunately, the investigator did not intend to target Chess.com and operated strictly for academic purposes. Chess.com’s administration was contacted and the problem was patched within two hours.
Even though the bug is patched, to stay protected from any potential attack, there are some procedures that should be followed. It is best practice to never use the same password for more than one site, as a single site vulnerability will reveal each account with the same combination of email and password.