2008-04-13

Dent game: an example of nonexistant security

In Norway, there's a commercial campaign (ending 15.4.) for Dent candies; you're invited to play a game (www.dent.no), and the best scores win some prizes (the coolest prize is a free cinema-ticket for two valid for 1 year). Since the prizes are attractive, I was wondering what kind of security they implemented. Surprisingly (or not; Norwegian companies have a bad track record with security issues), the answer is none!

Before submitting my result, together with my data (email address and phone number), I fired up wireshark and found out the following:
  • They first connect to stats.indexstats.com to report some basic statistics (a cookie with base-64 url, among other stuff, is sent and an empty GIF is returned).
  • Then a simple POST request is sent with the score and entered data about the user. Everything through ordinary HTTP, and everything in cleartext! Some binary data is returned, but I haven't bothered to figure out what it is.
So it's trivial to record the traffic into a file, change the score, and resubmit the better score by e.g. netcat. (No, I haven't done it myself -- the hardest part seems to be guessing high enough to win, but still plausible score.)

What could have been done differently? It's impossible to secure an application 100% when the user has full control over the computer, but I think that just AES-encrypting the sent data with a key preshared between the client and the server would have risen the hacking bar significantly. You'd have to download the raw flash file, try to find the encryption key inside it, guess the encryption algorithm, etc. If the encryption key is not stored contiguosly in the file, then you'd also have to reverse-engineer the flash code to see what's going on.

In any case, very badly done web application.

No comments: