[BreachExchange] Vulnerability in Chess.com allowed access to 50 Million user records

Destry Winant destry at riskbasedsecurity.com
Tue Feb 16 10:50:02 EST 2021


https://www.hackread.com/vulnerability-chess-com-50-million-user-records-accessed/

The vulnerability could have been exploited to access any account on
the site including the Chess.com administrator account.

An IT security researcher identified a critical set of vulnerabilities
in chess.com’s API, an immensely popular online chess playing site and
app. The vulnerability could have been exploited to access any account
on the site. It could also be used to gain full access to the site
through its admin panel.

What Happened?

Cybersecurity researcher Sam Curry spent a lot of time finding
vulnerabilities in Chess.com. The researcher started with finding
generic vulnerabilities and stumbled upon a reflected XSS that could
be exploited to drop backdoor to gain access to a victim’s account.

An attacker could also extract the “Connect to Google” URL and
authenticate it with their own account and use an XSS hook and HTTP
request that could bind a victim’s chess.com account to the attacker’s
account.

Account Takeover Vulnerability

The “Account Takeover Vulnerability”, as explained by the researcher,
was found when the subdomain for the API was found; “api.chess.com”.
The researcher intercepted the HTTP traffic and noticed the API
requests coming from this domain while using the app.

The requests from the app to the API were signed and could not be
tampered with easily but when the researcher searched a username for
the purpose of sending a message. A request was sent to fetch the
user’s information. This information contained the email address of
the user. This makes it a vulnerability with medium severity.

However, the actual vulnerability was the returned “session_id” as
this was unique to each user and the session on the researcher’s
computer. It was the authorization token that could let the researcher
hijack any session.

For further confirmation, the researcher wrote in a blog post that he
hijacked the account of one of Chess.com’s administrators Daniel
Rensch and was able to access the administrative dashboard. At this
point, the whole site was at their disposal. This would let the
researcher take full control of any account on the site.

Thankfully the researcher did not wish to attack Chess.com and was
only working for academic purposes. The administration of chess.com
was contacted and the bug was fixed within two hours.

How to be safe?

Although the bug is fixed, there are some practices that should be
adopted to stay safe from any future attack. It is best practice to
never use the same password for more than one site as a vulnerability
of one site can make every account with the same email and password
combination exposed.

About Chess.com

Chess.com is a huge platform for chess players with hundreds of
thousands of players playing at any given time. The website hosts tens
of millions of games per day. This shows that the site has a huge
number of users and it is a very important place for chess fans.


More information about the BreachExchange mailing list