In search of free tickets, study the games of Aeroflot: Mission 2017

New Year's eve, raking tons of congratulatory messages, I came across an offer from Aeroflot to save the New Year and to 150,000 miles for first place. Remember about their last promo and having a weakness for breakinganalysis of similar events, I went to the link.



Promo was made in the form of a game, the essence of which consisted in guessing the point on the map image from Google StreetView and receipt for it all points the number of which is proportional to the accuracy of the answer. You have 6 minutes. Between rounds offers fishing\leave gifts and fly plane for extra points. Six minutes can be increased up to ten by correctly answering quiz questions. For good results give you decent mileage.

Proskunew directory(to soothe the soul) and not finding anything interesting(except protruding through Internet phpmyadmin), I started analysing the game.

1) the First thing I found is Replay attack. The round is not marked as played and the same request can be sent indefinitely, get a profit.

the
for i in {0..50}; 
do torify curl 'http://mission2017.aeroflot.ru/ajax/round' --data 'val1=49&val2=9&game=563058&round=4974078&atype=map' & done;

However, the vulnerability was quickly closed.

2) the Mini-game implemented all the logic on their side. And sent to the server only the results. Accordingly, data requests can be modified to fly hundreds of thousands of miles in their airplane.

3) Quiz before the end of the promo, was vulnerable to Replay attacks. So you had to cheat my time in the game. Disadvantage of this method is that the logic of the creators, it is impossible to gain more than 10 minutes of time, so the result would be out of the flat list desyatiminutki.

4) But all of the above is khaki, which can be tracked and punished. It is time to write the bot! The script of the game is a good neobychainyi code, with a fairly clear naming of functions and variables. It is noteworthy that in response to a request to /ajax/round came right coordinates. This circumstance allowed sumapit each url panoramas coordinates.

the
map = {"https://www.google.com/maps/embed/v1/streetview?pano=_EjgB69lOpQheNB4ldZWsA&key=AIzaSyAdpt2jitUXkLd8NtkNQ_Ee6THUa_dz-K0" : {lat: 40.62, lon: 22.94},
"https://www.google.com/maps/embed/v1/streetview?pano=oIMBbAJeLJfwiwNtgiVl-g&key=AIzaSyAdpt2jitUXkLd8NtkNQ_Ee6THUa_dz-K0" : {lat: 22.27, lon: 114.16},
...
}

Everything further is just a matter of technique: define a new function using the developer console that the machine correctly answers all questions with some uncertainty and delay, transmits or sends the good results of the mini-games and allows you to answer the quiz in manual mode. In principle quiz automatiseret, but just was too lazy to implement it.

Should have to give the developers(and maybe the moderators), they had good anti-fraud and dubious all participants banjos. I couldn't figure out all the parameters which analyzed for fraud, but two of them are known to me: the speed and accuracy of response.

However, these mechanisms are insufficient to adequately cut-off bots. That in my opinion, and shows overall rating promotions.

The first three vulnerabilities purely logical, insufficient inspections and tests. But the problem is botovodstva that must be addressed. Here are the minimum steps(almost carbon copy blog), which would cut off most of the bot status would make the world cleaner:

1) the STO Security Through Obscurity, cuts and lazy students. Obfuscation and encryption — our everything!
2) Bad idea to return the party to the coordinates of a point in a pure form. To solve the problem: return the result as an image or mask over it, convert to another coordinate system with lower accuracy.

Point three is certainly expensive and complex, and in the world promo it is unlikely to be a place, but to ignore paragraph two and especially one, I wouldn't, given the amount of money created for this purpose.

P. S. All actions made by me are of exploratory character and the findings will hopefully serve as a warning to developers promo.
Article based on information from habrahabr.ru

Комментарии

Популярные сообщения из этого блога

Monitoring PostgreSQL + php-fpm + nginx + disk using Zabbix

Templates ESKD and GOST 7.32 for Lyx 1.6.x

Customize your Google