Offensive Security Rants & Threat Actor Roleplay
12 November 2023
While a friend from our DEFCON group was visiting town, we decided to cap off his last night with a visit to a local Korean Barbecue spot. What we didn’t expect was that this meal would come with a side quest—one that turned into a legendary story.
As we were seated, the hostess excitedly informed us that they had recently teamed up with a developer to create a web-based mobile game. The twist? If you completed the game before ordering, you’d win a free side of steamed eggs—normally a $10 menu item. The game could be accessed by scanning a QR code at the table.
The game itself was simple enough—just a platformer featuring Roblox-style character models with two basic controls: one for moving and the other for jumping. But there was a catch. The controls were frustratingly janky, making it much harder than it needed to be. The game would only accept one input at a time, meaning you couldn’t jump and move simultaneously. You had to jump first, then steer your character in mid-air, making for a pretty awkward gaming experience.
Here’s a screenshot of the game—it’s actually cool because the environment is a decent 1:1 recreation of the restaurant, inside and out:
After some trial and error, I finally managed to beat the game and claim my reward: a free side of steamed eggs. But this is where the story takes an unexpected turn.
While waiting for our food to arrive, we kept playing the game and stumbled upon a chat feature:
Being in InfoSec, the discovery of a chat box naturally led to a “payload war.” It didn’t take long before I discovered the chat was vulnerable to Cross-Site Scripting (XSS). Since the chat was visible to all players, any payload I submitted would be executed on everyone’s device. Classic.
Here’s what happened when I entered the simplest of XSS payloads: <script>alert(1)</script>
What followed was a round of laughs, as we realized the chat box was completely unrestricted. We could inject any payloads we wanted, whether it was redirecting players to arbitrary websites or spamming them with JavaScript pop-ups. Still, we kept things lighthearted, limiting our mischief to something harmless like <script>alert(document.cookie)</script>
to see what would happen.
Our fun was short-lived when we realized our XSS payloads had some unintended consequences. The game started to break, and when we tried refreshing the page, we were met with a JavaScript error that bricked the entire game.
Fortunately, by the time we finished our meal, the game was back up and running.
When the hostess came back, we couldn’t resist showing her the XSS discovery, especially since it had earned us our free steamed eggs. Curious, we asked her about the developer behind the game. She mentioned it was created by a friend of one of the restaurant’s owners who lived in Korea, and she asked if we encountered any issues with the app.
This led to a rather interesting conversation where we attempted to explain our roles in InfoSec and the vulnerability we had found. Though she was polite and intrigued, she wasn’t sure what to do with this information, so she asked us to write it down so she could pass it along to the developer.
Here’s the brief note I jotted down for the developer—short and to the point, but hopefully enough to help them identify and fix the issue:
I also reached out to the developer directly through their website, as I found that the XSS vulnerability existed across all their games. A special shout-out to art3m15 for helping with the translations:
This post isn’t meant to be taken too seriously, but it’s a fun little story about discovering a vulnerability in a local restaurant’s mobile game. While the XSS vulnerability might seem minor, it’s important to remember that with malicious intent, something like this could easily be leveraged to redirect restaurant customers to a malicious site or execute unwanted code.
Since the game is web-based, it can be accessed via a desktop browser, allowing an attacker to run JavaScript payloads against the restaurant’s customers. This might be one of the more obscure XSS vulnerabilities I’ve found in my career, but it’s a perfect example of how even simple systems can have significant security flaws.
Thankfully, the game was quickly restored, and no real harm was done—except maybe a few steamed eggs that were almost saved from being ordered. This whole experience is also a reminder that even in casual hacking, it’s important to consider the broader impacts your payloads might have.