return to table of content

Rook to XSS: How I hacked chess.com with a rookie exploit

tiffanyh
29 replies
21h32m

https://lichess.org/

The best I’ve found.

It’s also crowd funded and they talk about their interest tech as well.

nonethewiser
11 replies
20h10m

It’s also crowd funded and they talk about their interest tech as well.

As well as communism.

Maker of lichess.org, a hippie communist chess server for drug fueled atheists.

https://github.com/ornicar

cristoperb
7 replies
19h43m

Can't tell if this comment is supposed to be griping from dour conservative or praise from a communist lichess fan

nonethewiser
5 replies
19h19m

Or maybe you can decide for yourself how you feel about “a hippie communist chess server for drug fueled atheists.”

jurynulifcation
4 replies
19h2m

"None the wiser" is indeed an appropriate username! Please, tell us, by your snark I can assume you're most displeased with this collection of adjectives. But which ones in particular and why?

Do hippies frighten you because they represent a more egalitarian and prosperous ideology than your narrow minded brain can conceive of?

Do communists make you quake in your boots because you don't believe you could get on in a society where you might not be able to solve all of your problems with money? indeed, imagine if you might have to rely upon people liking you; I also fear for your ability to get on.

Is it the "drug fueled" portion, because you perhaps feel some right to tell other consenting adults (whom probably know much better about their bodies and their own lives than you do about yours) what to do on their spare time?

Or are you waking up to the fact that we, as a society, are becoming more secular[0], and thus you see the advance of atheism as an attack against the institution of your personal sky daddy?

And these are all reasonable things to think of you, since you only wave vaguely at a collection of adjectives while expressing some nebulous form of disdain. Perhaps either clarify the nature of your disagreement, or continue to persist in the shadow of intellectual doubt and fear you appear to be laboring under... which is a disease very common to people who appear to believe as you do.

[0] https://web.archive.org/web/20240123000719/https://www.nytim...

hot_gril
2 replies
18h50m

Am I the only one who took the "decide for yourself" at face value? It's not even like digging something up, it says right on the author's GitHub.

jurynulifcation
0 replies
18h42m

Perhaps, but then again, I find that typically only people who find those terms odious would care enough to quote that particular passage from the github and then refuse to elaborate on their own personal opinion of it. I also find that people who engage in such hit and run tactics are, typically, not very courageous in their own beliefs, or they'd be full chested about it.

DANmode
0 replies
16h30m

Holy shit, no. You are not!

eek2121
0 replies
13h55m

I love this comment! It exposes all the hate. I wish I had the ability to respond like you. Good writing! (oh and if I wasn't clear, I agree with you. OP needs to back it up, examine himself, and stop trying to control or hate others)

themoonisachees
0 replies
19h2m

Didn't you hear? The reds are at our door and want to destroy capitalism!

danparsonson
1 replies
19h6m

You should be careful playing there - you might become infected by hippie communist ideology and denounce God during your drug-fuelled chess binges.

sham1
0 replies
10h2m

"God is dead and Lichess has killed him" is also what Nietzsche said when writing "The Gay Science" and playing on Lichess.

opportune
0 replies
13h20m

Thanks for the warning. My male cousin tried playing on Lichess once. She now wears knee-high socks and listens to catgirl-emo music while puffing “the reefer” and praying to Karl Marx

edgyquant
10 replies
20h55m

I and many others find the UX to be worse, the tutorials/lessons definitely way less interactive (usually consist of just a text dump) and the sheer number of games where the opponent doesn’t make a single move to be extremely frustrating.

It’s also impossible to discuss anything related to chess.com on here or Reddit because lichess people tend to downvote and brigade anyone who doesn’t praise it.

kthxb
3 replies
20h45m

UX is probably a matter of habit, I for one find the chesscom UI unintuitive and I can never find what I'm looking for, but Lichess certainly also has its problems.

The free and (to me) intuitive analysis tools on Lichess are the killer feature for me.

acangiano
2 replies
17h51m

The UX for the analysis part is actually significantly better on Chess.com

yinser
0 replies
17h46m

Word

stavros
0 replies
17h42m

I very much disagree. Chess.com has analysis being more human-readable, the Lichess graph of move strength is amazing for zooming in to your major gamechangers.

hitekker
3 replies
20h17m

The people I've met from chess.com were straightforward and focused on their craft. The product they work on doesn't seem to hurt anyone and I haven't see any exploitation common to tech companies. I heard they don't pay Bay Area salaries, which is probably makes them more sustainable over the long-term.

I wonder if the peaceful co-existence of lichess and chess.com co-existing somehow disturbs some esoteric ideology.

faeriechangling
2 replies
18h53m

Their website also came out at a time when it was common for competitors like ICC to charge people to play chess online, chesscom being his huge well featured free website helped push forward the popularity of online chess, and their for-profit model is what allows many of the aforementioned streamers to make a living.

I don't hate lichess but I hardly see chesscom as evil.

hot_gril
1 replies
18h44m

This is a weird rivalry to read about. There should be an agreeable way for them to settle it, maybe some competitive game they both enjoy.

hobobaggins
0 replies
18h14m

stockfish v stockfish!

TylerLives
1 replies
19h43m

Iirc, some of the hate comes from the fact they were paying popular chess streamers not to play/stream on lichess.

hitekker
0 replies
17h28m

Exclusivity contracts seem pretty common in sports media, streaming, and other fields. I don't know the details but a quick google search turns news like https://www.reddit.com/r/chess/comments/7v7xhp/downvotes_wou...

In a nutshell, Chess.com is sponsoring me to continue making my free YouTube/Twitch content, but playing on their site.

Apparently, some people thought Chess.com was trying to paywall chess streaming content. Strange

j0hnyl
1 replies
21h25m

I love lichess, their mobile app is such a pleasure to use compared to chess.com.

edgyquant
0 replies
20h53m

I do use lichess on my iPhone, mostly because the pieces don’t even show up on chess.com. If I’m at my laptop though it’s chess.com

sourcecodeplz
0 replies
19h47m

I just love LiChess. It is fast and lightweight. People are also very nice.

sagaro
0 replies
13h0m

I play short time controls like blitz in lichess. But for rapid I prefer chess.com as lichess has too much cheating. I find lichess UI/UX better and faster than Chess.com.

n_plus_1_acc
0 replies
20h35m

Since the topic of WebAssembly came up today afain today, lichess uses stockfish compiled to wasm delivered to the client to reduce server costs.

halayli
0 replies
17h39m

It's painful to play on lichess due to wide spread cheating and people opening new accounts. I've been playing on chess.com as a paid user and having much better experience. I don't know what changes chess.com made in the past year but they are definitely moving in the right direction.

JakeSkii
27 replies
19h59m

Hi, OP here! Thank you all so much for the positive commments. To give some background: I'm a 17 year old student in the UK doing my A-Levels, still deciding what uni to go to and looking for degree apprenticeship options! You can checkout my github profile here -> https://github.com/Jayy001 (I'm one of the core members behind HashPals, creating Search-That-Hash as well as being a maintainer for the open-source repository of free software for the ReMarkable tablet)

tehlike
19 replies
19h34m

I am going to try referring you for Meta. Can you send me your resume/email/etc to tehlike gmail com?

1over137
14 replies
18h51m

Why would you want to punish the lad with working at Meta?! He seems like a nice chap.

tehlike
9 replies
18h49m

I want to hire good people to the company i work for. Is that wrong?

endofreach
5 replies
18h18m

Yes, facebook is an evil corporation.

Also: stop calling it meta everyone. Don't let them get away with such a poor away to hide their past & also claim a powerful word like that.

consumer451
3 replies
16h26m

Let's provide solutions in addition to criticisms.

What would you recommend OP applies for?

What are the pros and cons of the option that you suggest vs. the alternative?

91bananas
2 replies
15h6m

A company working on physical products that solve real world needs is where I have found solace.

melagonster
1 replies
13h8m

why? op is young, needs more money.

ClimaxGravely
0 replies
12h44m

Why? did they say that elsewhere in this thread?

mewpmewp2
0 replies
17h47m

Why are they evil? And if someone wants to do good for the World, why not join an evil corp to inflict change from within?

DANmode
1 replies
16h34m

Not for your goals, seemingly no.

DANmode
0 replies
9h26m

I didn't realize you were offering help with internship/apprenticeship.

Carry on. OP, definitely cut your teeth in a place like that!

Everywhere else afterward will likely feel like a vacation, in comparison.

tehlike
0 replies
18h16m

sorry, endofreach, i'll continue to call it Meta or Facebook interchangeably. One is company's legal name, and the other is its major product.

As for the evilness, i will not argue. Everyone is entitled to their opinions.

For the OP in question, Facebook will provide the best career launch pad, so i will continue to suggest that. I have been to Google and Facebook, so can compare the two.

maest
3 replies
17h44m

I assume Meta has a referral program where you receive a bonus if your referee gets hired.

tehlike
2 replies
17h31m

I personally do not care about that, that was not the reason I offered referral.

Same reason I referred very little number of people if any in the past.

ClimaxGravely
1 replies
12h37m

They do have a referral program and you would presumably benefit from that though? I'm honestly asking because I don't know.

tehlike
0 replies
4h34m

They do, yes. There are some rules around the attribution, like if recruiters have reached in some capacity in the past xx months without an outcome, you may still not get an award, I believe.

internetter
2 replies
18h41m

Does Meta hire 17 year olds?

Edit: oh, is this degree apprentice thing a UK thing I'm not familiar with?

tehlike
0 replies
18h21m

Yes, apprenticeship program.

rodrodrod
0 replies
18h19m

They have in the past, though I assume it's exceedingly rare.

https://thehustle.co/how-one-17-year-old-coded-a-number-one-...

JakeSkii
0 replies
4h33m

Hi, I've sent you an email.

tfsh
1 replies
18h42m

I did a degree apprenticeship at a FAANG company and was lucky to transition into a full time role there. It heavily depends upon the company, however my advice is that an apprenticeship at a well respected company goes much further than uni (bar Oxbridge) in terms of immediate job prospects.

I'd be very happy to talk more about this w/ you - email in my desc.

JakeSkii
0 replies
4h12m

Sent you an email!

Uptrenda
1 replies
17h17m

Bright future ahead. Good luck

JakeSkii
0 replies
4h34m

Thank you!

Narushia
1 replies
8h21m

Good job! How long did it take you to achieve the XSS?

JakeSkii
0 replies
7h51m

Around 4/5 hours if I recall correctly. It was over a year ago so not 100% sure.

sirsinsalot
0 replies
17h52m

My ReMarkable thanks you. You're doing great. Keep going.

.. And if you go into IT learn about contract negotiations and finances

cortesoft
14 replies
21h13m

This feature reminded me of the MySpace worm in ~2005 (heck, I wasn't even alive then!)

Well damn, I get older every day

dhosek
11 replies
21h3m

My ex-wife managed the security team at MySpace from about 2006 to 2008. The really wild part was when she went online to the MySpace hacker forums to see how the days’ work had gone. The insistence on allowing users to put HTML onto the site was a huge problem. These days, I think the solution would be to do a proper parse of the HTML input and remove forbidden attributes and tags, but back then it was handled via insanity with regexes.

orenlindsey
8 replies
20h12m

They seriously tried to parse HTML with regex? That's crazy.

charcircuit
4 replies
19h33m

They were using regex to block bad input without needing to parse HTML.

samatman
3 replies
15h24m

hope they were using more than one pass....

    <scr<script>ipt>

charcircuit
0 replies
11h5m

You could identify that as not a valid tag in a single pass and know that you should escape the < and > on it.

For the implementation all the real HTML tags should be generated by the formatter and not originate from the original input. When formarring the valid tags get deleted from the input and everything else is properly HTML escaped.

As a primitive example imagine that the only HTML tags the formatter is able to output is <b> and </b> tags alongside HTML escaped text. That means it will be impossible for a script tag to ever be outputed by the formatter.

SeriousM
0 replies
11h20m

I wonder how many passes it needs at all. I mean, if you <scr<scr<scr<script>ipt>ipt>ipt> as many times as possible, you'll end up with a xss. Removing < and > at all would be the safest solution.

MatmaRex
0 replies
13h15m

You can read about some things they did, and didn't! https://samy.pl/myspace/tech.html

dlnovell
1 replies
19h18m
sebmaynard
0 replies
10h58m

Long live Tony the Pony.

MatmaRex
0 replies
13h20m

It used to be that the only programs capable of somewhat correctly parsing HTML were web browsers, each one of them produced different results, most weren't open-source, and none were reusable as libraries. If you wanted to parse HTML in... looks up what MySpace was written in... ColdFusion, you were all out of luck. Since then people spent years developing specifications and writing the libraries, so now it's not a big deal.

paulpauper
1 replies
20h32m

Ppl were coding up xss back in the day on Myspace to spread ringtone offers

hot_gril
0 replies
18h43m

Innocent users getting pwned aside, that sounds fun, an anarchy website in Windows XP days.

scrapcode
0 replies
20h58m

My first thought was something along the lines of "great to see these young kids doing this kind of work." Doing that math hurt my soul.

posix86
0 replies
5h17m

Wait, this person is <20yo...

atdt
6 replies
20h52m

Could someone explain how re-directing from a subdomain (chess.com.foo.bar) somehow got past some same-origin check?

semitones
0 replies
20h24m

if it's happening server side they might have had a bug where they are doing naive substring comparison instead of actual domain evaluation

fnimick
0 replies
20h25m

It wasn't a proper same-origin check - the server code was checking to see if the image was hosted elsewhere, and if so, it would download and self-host it. The code to check if it was on `chess.com` probably just checked to see if the domain included that string, because laziness.

bmacho
0 replies
11h3m

Not CORS origin check (that does not apply to links), but hand made origin check from chess.com developers.

betenoire
0 replies
20h7m

it sounded server side code allow-list the source, so it was probably just doing a string prefix check. the code to make the friend relation doesn't happen in the browser

JakeSkii
0 replies
19h18m

OP Here - Like the others have said, it wasn't a proper same-origin check. We'll never know for sure how it was handled beacuse it was all done server-side but I'm guessing it was something like an if in statement on the FQDN, hence why I was able to get away with pointing it to my own domain.

DistractionRect
0 replies
20h15m

Clearly chess.com was using something like "starts with" to process the re-upload. Basically don't re-upload if it starts with https://chess.com, but filter out if it starts with https://chess.com/registration-invite

Typically same origin policies are relaxed for things like images by default [0]. So they came up with a trampoline, they created a chess.com.theirDomain.tld to get past the re-upload filter, which in turn returned a redirect, which the browser followed.

[0] https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...

jjbinx007
5 replies
22h49m

Hmm, I don't think this is related but I've personally witnessed (and even recorded) other people making MY moves in chess.com games and also I've been served up a game in progress and I've been able to make moves when I shouldn't have been able to.

There are plenty of threads about this too if you Google it. No idea if chess.com have fixed this in the last few months, but they didn't want to listen when I tried to report it.

All these games were when I was not logged into the site. It's never happened to me whilst logged in, but I don't play chess that often as it's no good for my blood pressure!

rendall
1 replies
10h8m

Sorry, I don't understand. When you wrote people are "making your moves" do you mean they are substituting your moves with their own in a game? Or that they are mirroring moves from one of your games into their own game? Or something else?

magpi3
0 replies
5h53m

I think he means they were literally moving his pieces.

JyB
1 replies
9h55m

My moves? What do you even mean

dfreire
0 replies
4h34m

I understood it as when it was his turn to play, his piece moved without him moving it

TowerTall
0 replies
11h7m

How can you tell that they are making your moves?

Jerrrry
5 replies
13h35m

Back when my sole internet experience was playing (losing) every match on Chess.com as a "volunteer librarian", I'd often inject awkwardly escaped characters, closing tags, common quirky control strings, and even OLE objects into the live Chess.com games.

Eric (founder) had politely asked me for a more formal audit (to which I declined, not wanting to out myself as an 11 year old script kiddie) but I did explain the RegExp needed for the chat room censor and we tackled the ultimate problem; how to detect cheaters in asynchronous environments.

After consideration I informed him the only way to possibly detect cheaters is to compare every (game-significant/high-mu) move made against the known optimal moves from engines, and use statistical inference to discriminate good humans from cheaters.

Of course, at the time, this was laughably unfeasible - which was the answer we had concluded on. But for a barely out of elementary kid to discuss those kinda nuances with a legit webmaster (Hello Eric!), it is one of my more favorable internet memories.

leoff
4 replies
6h58m

the only way to possibly detect cheaters

why would this be the only way? I can think of many different things you can do to detect cheaters

mlrtime
1 replies
5h11m

What are a few? I'm curious. Do they all involve monitoring the client itself?

leoff
0 replies
18m

He didn't mention the methods not involving monitoring the client. Most of them would involve monitoring it, yes.

- Response time

- Strength consistency within current game

- Strength consistency across all of user's games

- Is user switching windows

I bet these are already integrated in current cheat detection.

MereInterest
1 replies
5h55m

Any detection scheme based on extra information from the client could be defeated by running the chess engine on a separate computer. A human typing in their next move is indistinguishable from a human copying a move from an airgapped chess engine. Therefore, the only information that can be used to tag cheaters is the moves themselves.

leoff
0 replies
21m

Any detection scheme based on extra information from the client could be defeated by running the chess engine on a separate computer

Response time and strength consistency could be detected regardless of having another computer.

If a person is always playing fast moves, or playing very consistently or very inconsistently good moves, they could be detected.

lovasoa
4 replies
18h32m

This feature reminded me of the MySpace worm in ~2005 (heck, I wasn't even alive then!)

I instantly felt old.

consumer451
3 replies
15h44m

Don't worry about this too much. It gets worse.

My question to OP about this event: how did you learn about this? Darknet Diaries, or via something else?

JakeSkii
2 replies
3h8m

A video by WIRED came up in my YouTube feed about it.

consumer451
0 replies
3h3m

Thanks for taking the time to reply!

I am old enough to have a fuzzy memory of it happening at the time, but here is the podcast with Samy that cemented it in my brain:

https://darknetdiaries.com/episode/61/

consumer451
0 replies
3h1m

BTW, since you just got here... I find this useful: http://www.hnreplies.com/

mmsc
3 replies
14h52m

Cool bug.

  Google did not like me setting up a chess.com subdomain, and a couple of weeks later, my domain got flagged for "phishing." - I had to contact them to explain and manually remove it as it affected my whole domain.
What? Google’s domain registrar will close your account if you have a subdomain which just happens to be named another website?

JakeSkii
2 replies
8h49m

OP - I'm honestly not sure what happened, it could be just based on the naming or something else to do with it. Either way, when I visited it, Googles Safe Browsing alert popped up with "Deceptive site ahead - recentley detected phishing".

lobsterthief
1 replies
7h46m

This is a newish _Chrome_ feature (within the past 2 years) that Google rolled out. Any subdomain that looks like a domain (especially ending in a common TLD) will trigger that warning.

I learned that because, at work, I architected a system for serving certain assets for customer sites at a subdomain off a shared root domain, keyed by their full domain (like example.com.example.org—where example.com is the customer’s site domain). We ended up changing to example-com.example.org which is far better anyways since this feature started breaking stuff once it rolled out.

But this is a Chrome feature and should not affect your rankings themselves. But couldn’t hurt to take it down just in case.

JakeSkii
0 replies
7h18m

Interesting, thanks for the insight!

plugin-baby
2 replies
15h2m

Great write-up!

Why isn’t the PHPSESSID cookie HttpOnly?

And why if the XSS was already known had they not fixed it?!

jpc0
0 replies
9h5m

I've had arguments with people storing session tokens in local storage and claiming it is perfectly safe.

Not marking the cookie httpOnly ironically doesn't surprise me.

TLDR: if you aren't going to look up the very basics of security just use a trusted library

JakeSkii
0 replies
7h44m

Just to clarify, the PHPSESSID cookie was HttpOnly - I could extract the new value because I had overwritten it. Most of the cookies were set correctly (thankfully) however there was a lot of SPII stored in JS variables which I was able to get.

orenlindsey
2 replies
21h47m

Very cool. I love seeing bug bounty write-ups, especially XSS. They always seem so easy to find (but that's just confirmation bias, I don't get to see the hours of testing and rabbit trails that go nowhere).

sureglymop
1 replies
20h8m

In my experience they are usually found after finding something weird by accident. Then the real challenge is to exploit that flaw (in this case with the text editor).

fuomag9
0 replies
19h11m

I can confirm this, I've found a lot of stuff by accident during my years doing bug bounty

Uptrenda
2 replies
22h10m

I was expecting this to be more nooby based on the title. But instead they built an exploit that bypassed multiple input validation stages with clever hacks. Even going as far as to setup sub-domains to resemble the base domain. I'd not have expected this to work and found it neat in itself. But I guess seeing how complex domains are to parse with regex makes it easy to miss things (or maybe it was just something like a: '... in variable' check, idk.)

Author knows their stuff. I admire how much dedication that kind of craft takes. Spending so much time to get further along. Would make for an interesting career.

hot_gril
0 replies
20h52m

The first exploit of friending profile visitors was pretty simple at least, and also the title is a pun. But then it got very complex going for a full XSS.

gnrlst
0 replies
22h5m

Also very young making it even more impressive, considering they were born > 2005 according to the author's passing mention in the post.

rainonmoon
1 replies
9h17m

Great writeup OP! And good luck on your hacking journey. Just in case you haven't come across this yet, when you find parentheses being filtered/encoded in a payload like alert(1), try alert`1` using backticks. Some great resources if you want to take your JavaScript injection to the next level: Brute Logic's XSS cheat sheet and Gareth Heyes's Javascript for Hackers. Some people roll their eyes at cross-site scripting but it's still very powerful and very widespread (and as plugin-baby pointed out, especially when session cookies aren't flagged as HttpOnly, eek.)

JakeSkii
0 replies
7h19m

Thank you, will take a look!

phyzome
1 replies
21h16m

What does "OSRF" stand for? Is this like CSRF, but... "Own-Site Request Forgery", maybe?

lkbm
0 replies
20h52m

Yeah, pretty close: "On-site request forgery"[0]

[0] https://github.com/daffainfo/AllAboutBugBounty/blob/master/O...

nnevatie
1 replies
8h6m

Some typos in the URL: htttps://chesss.com/registration-invite?hash=XXX

JakeSkii
0 replies
4h35m

OP - Wow, can't believe I missed that! Thanks!

wycliffb
0 replies
12h7m

No such thing as a rookie exploit

olliej
0 replies
12h2m

“ This feature reminded me of the MySpace worm in ~2005 (heck, I wasn't even alive then!)”

Goddammit young people :D

hot_gril
0 replies
19h11m

The part about the rich text editor being a "holy grail" is funny. Chess.com is a big website, but I always see those editors and other extra fancy features on random old forums and wonder if the site is Swiss cheese. Anyway, great writeup!

djha-skin
0 replies
18h1m

I don't know this required a lot of thought. Didn't really feel like a rookie exploit.

cube00
0 replies
5h8m

During the bug-bounty report & triage, the developers tried to implement a block because when I tried to reproduce it again for them, it came up with the following error message ...

Hardly in the spirit of a bug-bountry program.

bbno4
0 replies
20h37m

Wow! This is so cool, love the pun in the title hehe