Hacks Chess.com

0 views

Skip to first unread message

Colette

unread,

Aug 3, 2024, 3:42:41 PM8/3/24

to broodletmostli

Probably wasn't hacking ... if you want to cheat it'd be a lot easier just to play off an engine. But, it's possible he was playing around wishfully and then a bizarre glitch allowed him to do something he otherwise couldn't, and the computer reset the notation to make sense of it for itself ...

Well, I see where the moves notated allow for fair taking of the Queen ... but as I was not present when the alleged incident happened, I'm inclined to believe Mr_ha. He describes it as happening all in a single move ... so if there was a glitch, perhaps the computer understood something was wrong and tried to notate what it thought had happened? I don't know.

I'd like to get jon11219's thoughts on the issue. What did it look like from his perspective? I don't think he was cheating/hacking, I suspect he was wishfully hovering his bishop over said Queen when "Poof" his wish came true!

Hacking doesn't make sense, and without substantial evidence to the contrary I don't like to suggest people are creating fictional problems ... therefore the most logical solution in my mind is a random computer glitch that tried to fix itself ...

Just to confirm, Mr_ha, you're not pulling our leg, are you? Just trying to see how many of us would take the time to check the notation, and how many of us would start speculating without looking at the obvious answer?

I hope my computer glitch theory isn't insulting to the chess.com staff ... I don't intend it as such. You guys are pretty awesome and for the most part everything works really good (sometimes really, really slow, but really good!).

The other night I was playing a game and this guy hhm1965 or something like that and he made his king disappear hand to god it was ridiculous then I collected a couple of his pieces, the his invisible piece started takin my pieces out so I just started movin my pawn up the board as fast as possible, then he started doom the same, I told him to accept a draw or I'd report him then magically lol I resigned then I went back on the computer site(I was playing on my cell phone) and it showed him checkmating me after 13 moves, and i swear yo god that was NOT the game i played!!!! seriously that was one of the craziest things I've ever seen... True story!!!

vladimir82 make the same to me... his king disapear a rook from nowhere appear and start taking mi pieces. i take some pieces of him and started to push a pawn i got checked by an invisible piece and my king has no place to go and no moves available... i refresh the page and reconnect but nothing changes... i say that i will report him and he didn't say anything.. i lost on time and then he left the chat. fix this shit. Sry for my bad english.

The glitch I am finding quite often (and refreshing the webpage does fix it), is I will start a game and I can see my pawn move, and then NOTHING on the other side yet the clock is running down on me because the other guy has in fact moved. I can not move anything nor see his move and then it finally times me out.

Recently, An extension on my computer said that chess.com has been recently hacked, but idk if that's true because I feel like the notification popped up from another site and I feel suspicious that chess.com did get hacked.

Nothing was leaked. Emails were found from another hacked site, the site find friends feature was used to map those emails to accounts here, and then publicly available data was pulled from the API (anything viewable on profiles).

The reason I really wanted to write about this is because of how much fun we had finding it. I think me @sshell_ were laughing about this bug in a voice call for probably an hour before we realized we needed to actually report it.

Something that many many not know is that Chess.com has a bug bounty program on their own website (as many other companies do) that accepts submissions via email. Their program page is located here and I'd genuinely suggest checking them out.

The XSS could've been escalated to an account backdoor via extracting the "Connect to Google" URL, authenticating into it with an account you owned, then using an XSS hook to send an HTTP request with the callback to bind the attacker's Gmail account to the victim's Chess.com account.

I'd come back and hack on them every once in a while but never really seemed to make any progress. Every time I checked back, it felt like I was looking at the same pieces of functionality and never finding anything new.

I was hacking another company via my iPhone and Burp Suite when I realized that I'd never even opened the chess.com app while intercepting HTTP traffic. When I did, there was a new subdomain I'd never seen before.

The fact the app used this domain was super interesting to me as I'd tried to manually form HTTP requests to the website before but never had any luck. Each one sent by the app itself had properly formed headers and actually worked.

After trying to tamper with the request, it was clear that the "signed" parameter was used as a hash for all of the request parameters. You couldn't tamper with any part of the HTTP request without it giving an unauthorized error as the application was using some sort of secret to sign the whole request. This meant that if you changed anything whatsoever then the application wouldn't let you send it.

There was a really interesting HTTP request that came up when I searched for the username "hikaru" to send a message to. The following is the HTTP request and response when the app tried to fetch the information about the user:

When I first saw this HTTP response, I was very happy because it was returning the email address of the user! This meant it was possible to arbitrarily retrieve the email addresses of anyone, a probably medium severity bug.

Even though we didn't have a way to sign the HTTP requests, we could just simply search for a specific user via the mobile app, intercept the traffic, and lastly be able to see the HTTP response containing the victim email address.

Before I began writing the report to submit to their security team, I searched through the profile field and tried to see if there was anything else being leaked. Overall it looked kind of boring, but after searching for two separate users I realized something:

I logged into the website on my desktop and checked my cookies. They were using "PHPSESSID" as a session token, and when I searched my own username, it returned my own "PHPSESSID" in the "session_id" field!

I scoped the leaked administrative PHPSESSID cookie for ".chess.com" then opened up a new tab to see if we could access it. When I loaded the page, it didn't kick me out like it did in the past. We were into the administrator dashboard!

I know there are some reasons why chess.com has stronger players with the same rating than lichess ones, but analyzing the games I faced players that do have plus than 95 of accurancy in complicated games, so I think the reason may be those player use engines at least when the move is complicated, as they are rated 1500 and not making blunders. This is not what I found in lichess where profiting of blunders allow me to beat easily 1500 or even 1700 players.

I read a post of Erick, the owner of chess.com saying cheating happens at a +2300 level. But my concern is, at a lower level and in correspondence, I miss blunders in chess.com. In lichess I have not troubles to reach 1900-2000 rating beating easily the 1500 players. I think those users are using engines when the position is complicated but playing a fair game the rest of the game. That might evitate them to be catched and allow them to play at a 1500 level while they are poor players that should have a rating

chess.com is a big entreprise, they should have programmers versed in machine learning techniques to detect cheaters. Are lichess programmers better than chess.com and succeded to send cheaters away from his correspondence rooms even at low rating levels while chess.com programmers not? Do they use similar technics or lichess ones are more sofisticated?

Chess.com is a for-profit business, so they have more incentive to be sure that a player is cheating before banning a potentially paying customer. Since lichess is fully free, there's less cost associated with a false positive ban. Thus it would make sense for chess.com to have a higher threshold of confidence for banning cheaters, but I can't say whether this motivation does actually impact their choices or not.

Different sites have different rating systems and player pools. They're not directly comparable. Lichess ratings tend to be higher than chess.com ratings for the same reaosn a person's weight tends to be higher than his height

The dynamics of postal chess allows more in-depth analysis of the games. This makes mistakes rare. Some sites prefer to maintain the rule that in correspondence chess you should not use assistance of any kind (as if it were face-to-face chess) and others have reasoned that it is too difficult to know if chess engines or other assistance have been used. For example, the International Correspondence Chess Federation, (ICCF) allows the consultation of tables of endings of seven pieces to decide the winner of the ending of a game. I guess to save time at the big tournaments.

Some tournaments are centered on certain openings (thematic tournament) and others are pure competition. In the latter, the chess player must foresee the opponent's move, either by investigating the lines of play that can be derived from the position or if suspect that his opponent uses engines to chose his moves, consider also the lines that an engine would choose, especially in the opening to take him to a disadvantageous position due to a better understanding of the strategy and trying to uncoordinate the opponent's pieces, so that can't benefit from the engine.

In the middlegame, some player can choose the type of endgame he prefers and look for, for example, a triple repetition draw or aim for an endgame with more than seven pieces to prevent his opponent from benefiting from the Lomonosov endgame tables.