The vulnerability could have been exploited to access any account on the site including the Chess.com administrator account.
An IT security researcher identified a critical set of vulnerabilities in chess.com’s API, an immensely popular online chess playing site and app. The vulnerability could have been exploited to access any account on the site. It could also be used to gain full access to the site through its admin panel.
What Happened?
Cybersecurity researcher Sam Curry spent a lot of time finding vulnerabilities in Chess.com. The researcher started with finding generic vulnerabilities and stumbled upon a reflected XSS that could be exploited to drop backdoor to gain access to a victim’s account.
SEE: The Most Common API Vulnerabilities
An attacker could also extract the “Connect to Google” URL and authenticate it with their own account and use an XSS hook and HTTP request that could bind a victim’s chess.com account to the attacker’s account.
Account Takeover Vulnerability
The “Account Takeover Vulnerability”, as explained by the researcher, was found when the subdomain for the API was found; “api.chess.com”. The researcher intercepted the HTTP traffic and noticed the API requests coming from this domain while using the app.
The requests from the app to the API were signed and could not be tampered with easily but when the researcher searched a username for the purpose of s ..
Support the originator by clicking the read the rest link below.
