A security researcher has uncovered vulnerabilities in the New York Times-owned online game Wordle that not only reveal the solution to the daily word puzzle but also expose its application programming interface to potential hacking.
Detailed today by David Thompson, a security researcher at Noname Security under the title of “Tomorrow’s Wordle is ‘PWNED!’,” the vulnerabilities were found using Google Chrome’s built-in developer tools. Thompson found the daily answer with the help of a JSON-formatted API.
The path to finding the answer was as simple as visiting the Wordle website, clicking the “network” tab in Chrome’s developer tools, then selecting the “Fetch/XHR” filter option. In the “Requests” cell, clicking on JSON API with today’s date reveals an API GET request. Then click on the “Response” tab and the answer is sitting there in plain sight.
Thompson also found a way to reveal the answer for the next day’s Wordle puzzle by using the command line interface to obtain the .json file for a different date. The editor’s name is also included in the returned information along with the solution.
The ability to obtain the information is described as a common mistake when writing and publishing APIs. In Wordle’s case, the vulnerabilities breach the OWASP API Security Top 10 regarding excessive data exposure and broken function-level authorization.
So the researcher found a sneaky way to find the answers to Wordle — not exactly the end of the world, but in Thompson’s words, next came the scary part. He also found it was possible to change future answers to the puzzle, not to cheat but to create a problem by changing the word to something offensive or inflammatory.
The same vulnerabilities that exposed the answers allow for a POST method to change an item served by an API. At this point, Thompson contacted the New York Times under Noname’s responsible disclosure policy to make it aware of the issues.
“The New York Times might need to change the logic (or permissions) of the backend so that any kind of ‘write’ attempts would not be permitted,” Thompson said. “In the worst-case scenario, they will need to change the application such that the answer doesn’t leave the server until the user answers correctly.”
Image: New York Times
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.