{"id":24415,"date":"2022-12-19T14:10:18","date_gmt":"2022-12-19T14:10:18","guid":{"rendered":"https:\/\/mailinvest.blog\/index.php\/2022\/12\/19\/api-vulnerabilities-in-wordle-exposed-answers-opened-the-door-to-potential-hacking\/"},"modified":"2022-12-19T14:10:18","modified_gmt":"2022-12-19T14:10:18","slug":"api-vulnerabilities-in-wordle-exposed-answers-opened-the-door-to-potential-hacking","status":"publish","type":"post","link":"https:\/\/mailinvest.blog\/index.php\/2022\/12\/19\/api-vulnerabilities-in-wordle-exposed-answers-opened-the-door-to-potential-hacking\/","title":{"rendered":"API vulnerabilities in Wordle exposed answers, opened the door to potential hacking"},"content":{"rendered":"

<\/a>\n
<\/p>\n

\n

A security researcher has uncovered vulnerabilities in the New York Times-owned<\/a> online game Wordle that not only reveal the solution to the daily word puzzle but also expose its application programming interface to potential hacking.<\/p>\n

Detailed today by David Thompson, a security researcher at Noname Security<\/a> under the title of \u201cTomorrow\u2019s Wordle is \u2018PWNED!\u2019,\u201d the vulnerabilities were found using Google Chrome\u2019s built-in developer tools. Thompson found the daily answer with the help of a JSON-formatted API.<\/p>\n

The path to finding the answer was as simple as visiting the Wordle website, clicking the \u201cnetwork\u201d tab in Chrome\u2019s developer tools, then selecting the \u201cFetch\/XHR\u201d filter option. In the \u201cRequests\u201d cell, clicking on JSON API with today\u2019s date reveals an API GET request. Then click on the \u201cResponse\u201d tab and the answer is sitting there in plain sight.<\/p>\n

Thompson also found a way to reveal the answer for the next day\u2019s Wordle puzzle by using the command line interface to obtain the .json file for a different date. The editor\u2019s name is also included in the returned information along with the solution.<\/p>\n

The ability to obtain the information is described as a common mistake when writing and publishing APIs. In Wordle\u2019s case, the vulnerabilities breach the OWASP API Security Top 10 regarding excessive data exposure and broken function-level authorization.<\/p>\n

So the researcher found a sneaky way to find the answers to Wordle \u2014 not exactly the end of the world, but in Thompson\u2019s words, next came the scary part. He also found it was possible to change future answers to the puzzle, not to cheat but to create a problem by changing the word to something offensive or inflammatory.<\/p>\n

The same vulnerabilities that exposed the answers allow for a POST method to change an item served by an API. At this point, Thompson contacted the New York Times under Noname\u2019s responsible disclosure policy to make it aware of the issues.<\/p>\n

\u201cThe New York Times might need to change the logic (or permissions) of the backend so that any kind of \u2018write\u2019 attempts would not be permitted,\u201d Thompson said. \u201cIn the worst-case scenario, they will need to change the application such that the answer doesn\u2019t leave the server until the user answers correctly.\u201d<\/span><\/p>\n

Image: New York Times<\/h5>\n
\n
\n

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.<\/span><\/h3>\n<\/div><\/div>\n