Checkmate: Check Point Research exposes security vulnerabilities on Chess.com

Highlights:

• Check Point Research (CPR) found security vulnerabilities on the chess.com platform that could allow users to manipulate the game’s results.
• According to the findings, our researchers were able to:
  • Extract successful chess moves to solve online puzzle challenges and win puzzle ratings accordingly.
  • Decrease an opponent’s time and win games accordingly.
• Check Point Research disclosed the information to the chess.com teams, which acknowledged it and applied a relevant fix.

Background

Chess.com is the world leading platform for online chess games, with over 100 million members and more than 17 million games played per day.

It is an internet chess server, news website, and social networking platform. Chess.com has a strong focus on community-based forums and blogs. These social features allow players to connect with each other, socialize, share thoughts and experiences, and learn from each other about playing chess.

Furthermore, Chess.com conducts global championships, which consists of a winner prize money of $1,000,000 and the coveted Chess.com Global Champion title.

Previous Cheating Allegations

In 2022, Magnus Carlsen (Norwegian World champion since 2013) decided to withdraw from a tournament because he believed that Hans Niemann (American Grand Master) had cheated whilst playing.

In an official response Chess.com claimed: “Niemann has likely cheated in more than 100 Online Chess Games […] he is the fastest rising top player in classical OTB chess in modern history”.

Chess.com decided to remove Niemann from the platform and from the Global Chess Championship the day after he beat GM Magnus Carlsen. This decision has been made because Hans admitted that he cheated in chess games on the popular website in 2020. Chess.com used its cheating-detection software and discovered suspicious play.

Motivation For This Research

Chess.com invests resources in detecting cheaters, and openly uses machine learning to predict which moves might be made by a human in any given position.

Cheating in chess is a deliberate violation of the rules of the game or any other behaviour that is intended to give an unfair advantage to a player or team. It can occur in many forms and can take place before, during, or after a game.

Chess.com relates to the rating of players to participate in games and win bigger prizes. For example, tournaments are based on ratings.

According to the above, our researchers decided to analyse the popular online platform and try to check whether there are  security vulnerabilities on the platform.

Here are the highlights of our findings:

1. We found out that it is possible to win by decreasing the opponent’s time and winning the game over time,without the opponent noticing what happened.
2. In addition, it is possible to extract successful chess moves to solve online puzzle challenges and win puzzle ratings. In this method, we simply need to catch the communication between the client side (player) and the server (Chess.com website). The server accidentally sends the correct solution to the puzzle! We can then abuse and cheat on puzzle championships (in which the winner gets prize money) by simply submitting the correct moves that we found. Moreover, it is possible to modify the elapsed time it took to think about the solution.
3. In our report, we detail how via communication between 2 friends on the platform, after approving the friend’s requests to connect, an attacker intercepts the request with a proxy tool and succeeds in both manipulating game timing (which allows a quick win) and in solving a puzzle- which raises his score and value on the platform.

CHECKMATE.

The full technical analysis is detailed on our blog