The vulnerability could have been exploited to access any account on the site including the Chess.com administrator account.
An IT security researcher identified a critical set of vulnerabilities in chess.com’s API, an immensely popular online chess playing site and app. The vulnerability could have been exploited to access any account on the site. It could also be used to gain full access to the site through its admin panel.
Cybersecurity researcher Sam Curry spent a lot of time finding vulnerabilities in Chess.com. The researcher started with finding generic vulnerabilities and stumbled upon a reflected XSS that could be exploited to drop backdoor to gain access to a victim’s account.
An attacker could also extract the “Connect to Google” URL and authenticate it with their own account and use an XSS hook and HTTP request that could bind a victim’s chess.com account to the attacker’s account.
Account Takeover Vulnerability
The “Account Takeover Vulnerability”, as explained by the researcher, was found when the subdomain for the API was found; “api.chess.com”. The researcher intercepted the HTTP traffic and noticed the API requests coming from this domain while using the app.
The requests from the app to the API were signed and could not be tampered with easily but when the researcher searched a username for the purpose of sending a message. A request was sent to fetch the user’s information. This information contained the email address of the user. This makes it a vulnerability with medium severity.
However, the actual vulnerability was the returned “session_id” as this was unique to each user and the session on the researcher’s computer. It was the authorization token that could let the researcher hijack any session.
For further confirmation, the researcher wrote in a blog post that he hijacked the account of one of Chess.com’s administrators Daniel Rensch and was able to access the administrative dashboard. At this point, the whole site was at their disposal. This would let the researcher take full control of any account on the site.
Thankfully the researcher did not wish to attack Chess.com and was only working for academic purposes. The administration of chess.com was contacted and the bug was fixed within two hours.
How to be safe?
Although the bug is fixed, there are some practices that should be adopted to stay safe from any future attack. It is best practice to never use the same password for more than one site as a vulnerability of one site can make every account with the same email and password combination exposed.
Chess.com is a huge platform for chess players with hundreds of thousands of players playing at any given time. The website hosts tens of millions of games per day. This shows that the site has a huge number of users and it is a very important place for chess fans.