Securing Lichess one move at a time
Hi there, thanks for stopping by and taking some time to read my blog post about how I helped secure my favorite chess playing which if you haven’t guessed it by now, its lichess.org!
This past weekend, a couple of my friends and I were playing a little self-hosted chess tournament among ourselves which is where this particular feature of lichess caught my eye. When creating a tournament, lichess allows you to set a password to prevent other players from joining. This sparked my interest, because the password could be anything (there was no password rules being enforced, special characters, numbers, symbols etc.). This is when I started to think maybe it could be susceptible to brute force attacks since users left to their own devices will inherently set weak passwords like — chess123, passw0rd,carlsen2022! etc.
So the first thing was to create a tournament with a password.
The next thing was to enter a wrong password while capturing the request in burp.
From this we can deduce that the the “p” field will be our point of attack. So we’ll send the request to intruder and set our payload positions.
For this example I used the sniper option of intruder along with a simple custom wordlist of 50 lines as to not overwhelm the server with requests.
I then added the correct password at the bottom of the list and fired off the attack.
All 49 attempts received a status code of 400, whereas the 50th attempt received a response code of 200 indicating that it was the correct password.
I reported the issue to Lichess which has a responsible disclosure policy, and they immediately fixed the issue by implementing stricter rate limits for consecutive requests on this specific endpoint. The commit can be viewed below:
tighter ratelimit on tournament join endpoint · lichess-org/lila@328e01e
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Kudos to Lichess for fixing the issue so quickly and granting me kind permission to share this blog post with the infosec community.