In search of free tickets, the study of the game Aeroflot: Mission 2017
On the eve of the New Year, raking tons of greeting letters, I came across an offer from Aeroflot to save the New Year and get 150,000 miles for first place. Remembering the past of their promotions and having a weakness for hacking the analysis of such events, I followed the link.
The promo was made in the form of a game, the essence of which was to guess the point on the map in the image from Google StreetView and get all the points for it, the number of which is proportional to the accuracy of the answer. For everything about everything is given 6 minutes. Also between rounds it is proposed to catch / leave gifts and fly an airplane for extra points. Six minutes can be increased to ten, correctly answering quiz questions. For good results give a decent amount of miles.
Having scanned the directories (to soothe the soul) and not finding anything interesting (except phpmyadmin sticking on the Internet), I began to analyze the game itself.
')
1) The first thing that found this replay attack. The round is not marked, as the played one and the same request can be sent infinitely, I get a profit.
However, this vulnerability was quickly closed.
2) Mini-games implemented all the logic on their side. And sent to the server only results. Accordingly, these requests could be modified and fly hundreds of thousands of miles on his airplane.
3) Quiz until the end of the promo was vulnerable to replay attacks. So you could wind up your time for the game. The disadvantage of this method is that, according to the logic of the creators, it is impossible to score more than 10 minutes of time, so the result would be knocked out of a flat list of ten minutes.
4) But all of the above are hacks that can be traced and punished for them. So it's time to write a bot! The game's script is a nice unobfuscated code, with fairly clear naming of functions and variables. It is noteworthy that in the response to the request to the / ajax / round came the correct coordinates. This circumstance allowed us to wipe out each url of the panorama to the coordinates.
All further remains just a matter of technology: we define a new function through the developer console, which automatically answers all questions with a certain error and delay, skips or sends good results on the results of mini-games and allows you to answer the quiz in manual mode. In principle, the quiz is automated, but it was just too lazy to implement.
It should be given back to the developers (and maybe to the moderators), they had a good antifraud and all the doubtful participants got banned. I could not figure out all the parameters that were used for fraud analysis, but I know two of them: the speed and accuracy of the answer.
True, these mechanisms are not enough to adequately cut off bots. What in my opinion and displays the final rating of promotions.
The first three vulnerabilities are purely logical, not enough checks and tests. But there remains the problem of bots, which must be addressed. These are the minimal measures (practically tracing from the blog ) that would cut off most of the botovodov and make the world cleaner:
1) STO - Security Through Obscurity, cuts off lazy and schoolchildren. Obfuscation and encryption - our everything!
2) A bad idea to return to the participant the coordinates of the correct point in its pure form. You can solve the problem in different ways: return the result as an image or a mask above it, convert it to another coordinate system with less accuracy.
3) Add more client-server interaction, such as pressing keys, moving the cursor, clicks. This measure will complicate the writing of bots for mini-games and add data for the reverse Turing test.
Point three is certainly expensive and complicated, and in the promo world there is hardly a place for him, but I would not neglect point two, and especially measure one, given the amount of funds created for these purposes.
PS All actions performed by me are of a research nature, and the conclusions I hope will serve as an edification to promo developers.
The promo was made in the form of a game, the essence of which was to guess the point on the map in the image from Google StreetView and get all the points for it, the number of which is proportional to the accuracy of the answer. For everything about everything is given 6 minutes. Also between rounds it is proposed to catch / leave gifts and fly an airplane for extra points. Six minutes can be increased to ten, correctly answering quiz questions. For good results give a decent amount of miles.
Having scanned the directories (to soothe the soul) and not finding anything interesting (except phpmyadmin sticking on the Internet), I began to analyze the game itself.
')
1) The first thing that found this replay attack. The round is not marked, as the played one and the same request can be sent infinitely, I get a profit.
for i in {0..50}; do torify curl 'http://mission2017.aeroflot.ru/ajax/round' --data 'val1=49&val2=9&game=563058&round=4974078&atype=map' & done; However, this vulnerability was quickly closed.
2) Mini-games implemented all the logic on their side. And sent to the server only results. Accordingly, these requests could be modified and fly hundreds of thousands of miles on his airplane.
3) Quiz until the end of the promo was vulnerable to replay attacks. So you could wind up your time for the game. The disadvantage of this method is that, according to the logic of the creators, it is impossible to score more than 10 minutes of time, so the result would be knocked out of a flat list of ten minutes.
4) But all of the above are hacks that can be traced and punished for them. So it's time to write a bot! The game's script is a nice unobfuscated code, with fairly clear naming of functions and variables. It is noteworthy that in the response to the request to the / ajax / round came the correct coordinates. This circumstance allowed us to wipe out each url of the panorama to the coordinates.
map = {"https://www.google.com/maps/embed/v1/streetview?pano=_EjgB69lOpQheNB4ldZWsA&key=AIzaSyAdpt2jitUXkLd8NtkNQ_Ee6THUA_DZ-K0" : {lat: 40.62, lon: 22.94}, "https://www.google.com/maps/embed/v1/streetview?pano=oIMBbAJeLJfwiwNtgiVl-g&key=AIzaSyAdpt2jitUXkLd8NtkNQ_Ee6THUA_DZ-K0" : {lat: 22.27, lon: 114.16}, ... } lat: 40.62, lon: 22.94}, map = {"https://www.google.com/maps/embed/v1/streetview?pano=_EjgB69lOpQheNB4ldZWsA&key=AIzaSyAdpt2jitUXkLd8NtkNQ_Ee6THUA_DZ-K0" : {lat: 40.62, lon: 22.94}, "https://www.google.com/maps/embed/v1/streetview?pano=oIMBbAJeLJfwiwNtgiVl-g&key=AIzaSyAdpt2jitUXkLd8NtkNQ_Ee6THUA_DZ-K0" : {lat: 22.27, lon: 114.16}, ... } All further remains just a matter of technology: we define a new function through the developer console, which automatically answers all questions with a certain error and delay, skips or sends good results on the results of mini-games and allows you to answer the quiz in manual mode. In principle, the quiz is automated, but it was just too lazy to implement.
It should be given back to the developers (and maybe to the moderators), they had a good antifraud and all the doubtful participants got banned. I could not figure out all the parameters that were used for fraud analysis, but I know two of them: the speed and accuracy of the answer.
True, these mechanisms are not enough to adequately cut off bots. What in my opinion and displays the final rating of promotions.
The first three vulnerabilities are purely logical, not enough checks and tests. But there remains the problem of bots, which must be addressed. These are the minimal measures (practically tracing from the blog ) that would cut off most of the botovodov and make the world cleaner:
1) STO - Security Through Obscurity, cuts off lazy and schoolchildren. Obfuscation and encryption - our everything!
2) A bad idea to return to the participant the coordinates of the correct point in its pure form. You can solve the problem in different ways: return the result as an image or a mask above it, convert it to another coordinate system with less accuracy.
3) Add more client-server interaction, such as pressing keys, moving the cursor, clicks. This measure will complicate the writing of bots for mini-games and add data for the reverse Turing test.
Point three is certainly expensive and complicated, and in the promo world there is hardly a place for him, but I would not neglect point two, and especially measure one, given the amount of funds created for these purposes.
PS All actions performed by me are of a research nature, and the conclusions I hope will serve as an edification to promo developers.
Source: https://habr.com/ru/post/318944/
All Articles