Before submitting my result, together with my data (email address and phone number), I fired up wireshark and found out the following:
- They first connect to stats.indexstats.com to report some basic statistics (a cookie with base-64 url, among other stuff, is sent and an empty GIF is returned).
- Then a simple POST request is sent with the score and entered data about the user. Everything through ordinary HTTP, and everything in cleartext! Some binary data is returned, but I haven't bothered to figure out what it is.
What could have been done differently? It's impossible to secure an application 100% when the user has full control over the computer, but I think that just AES-encrypting the sent data with a key preshared between the client and the server would have risen the hacking bar significantly. You'd have to download the raw flash file, try to find the encryption key inside it, guess the encryption algorithm, etc. If the encryption key is not stored contiguosly in the file, then you'd also have to reverse-engineer the flash code to see what's going on.
In any case, very badly done web application.