How an intermediate developer can easily cheat bullet games on lichess

Since the entire website and its backend are open source, lichess more than any other chess websites is inviting to hackers and cheaters. In particular, I want to draw the attention of lichess developers and maintainers to a potential security hole that can easily be exploited.

As you know, the socket that communicates all the messages of the client to the lichess server and back is the Websocket object. A disquisitive hacker can reimplement the javascript prototype of a websocket object, thereby evesdropping on the messages that get sent back and fourth to the server. This information could then be linked to a chess engine software ( via chrome native app extention , for example) which then makes it possible to auto-transfer the moves to the chess software.

But then you might ask, how can the hacker reimplement websocket object after the page already loaded? It's simple: iframes.

The iframe is the pinnacle of security holes in modern web era. The fact is that an attacker can reimplement websocket on a window object of a newly inserted iframe, then load lichess in that iframe. Browser messaging for same origin is allowed, so all the critical messages get sniffed and sent back to the iframe host. Clever, huh?

A first thought that comes to my mind is to not allow iframes to be injected into DOM. I don't know how this can be done, but stackoverflow.com has figured it out. I can't insert an iframe element after the page is loaded there.

I believe patching this security hole is a good step towards reducing the number of bullet cheaters and encouraging fair play.

As a developer I do understand your concerns but I believe you are mistaken in a couple of areas. First off, websockets while slightly insecure they do not pose threats by any means if someone were to re-implement them and connect an engine. I've done this myself and inspected all vulnerabilities and I can ensure you there is nothing harmful you can do other than cheat with an engine.

Sure iframe's can be nasty but please understand there are no "critical messages" even to be sniffed. All in all I do agree additional improvements could be made, but just as you stated earlier lichess is open source and therefore if you wanted to could make the improvement yourself. This is lichess's open source philosophy with being open source.

Well, cheating was my only concern here. The messages I was referring to were the ones that are communicated between client and server.

For more detail, see here for an example http://blog.kotowicz.net/2011/01/xss-track-as-html5-websockets-traffic.html?m=1

With the rise of cheaters on this website, there's the new addition of "slanted board" feature. For those who haven't seen it, lichess skews the board for a few seconds, making it difficult to get the board position for cheating software that relies on pixels. But this comes at the cost of annoying thousands of users who are honest players.

If you are going to these extents to prevent cheating, you might really want to patch this hole that I showed you a few months ago. It's still present, and it seems it fell on deaf ears.

Please consider stopping programmers from injecting code in lichess that hijacks the page's websocket implementation by embedding an iframe element and redefining the object's prototype.

As a simple test: this javascript code should not succeed, but it does, unfortunately. Try running jquery and then injecting the following script on lichess:

$('body').children().hide();

var i = $('<iframe>').attr('sandbox', 'allow-same-origin allow-forms allow-scripts').appendTo('body').load(function() {

//sniffing "secure" lichess socket data is literally this easy...

this.contentWindow.WebSocket.prototype.send = function() {

this.addEventListener('message', function(e) {
console.log(e.data);
});

return window.WebSocket.prototype.send.apply(this, arguments);
}

});

i.css({position: 'absolute', width: '100%', height: '100%', top: 0, left: 0, border: 0, background: '#fff'}).attr('src', location.href.replace(/\?.*/,''));

This code prints every message sent from server to web client to console, which then could be interfaced to an engine of sorts for cheating purposes, especially at faster time controls.

Try running that code on google.com or stackoverflow.com or any other secure website. They will not allow it. It is a serious security flaw.