Parzival

Offensive Security Rants & Threat Actor Roleplay

Free Steamed Eggs with a Side of XSS

12 November 2023

While a friend from our DEFCON group was visiting town, we decided on his last night to visit a local Korean Barbecue spot. Little did we know, there would be a side quest involved which would result in a legendary story.

When being seated at our table, the hostess informed us that they had recently worked with a developer to create a web-based mobile game, where if you reach the end prior to ordering, you could win a free side of steamed eggs - typically a $10 menu item. This game could be accessed by scanning a QR code at the table.

The game itself is straightforward with some cursed controls which make it significantly harder than it should be. It’s a simple platformer with Roblox-like character models and two controls, one to move the character, the other to jump. The fidgety controls come into play when you try to move and jump at the same time. It’s impossible. The game will only take one input at a time, meaning that you must jump and then move your character in the air to ascend to the next platform.

The following screenshot demonstrates what the game looks like, note, it’s pretty neat because they have a decent 1:1 of the surroundings, outside, and inside of the restaurant:

kbbq-game

After learning the controls and finishing a hardcore gaming session, I was able to successfully navigate to the finish line and receive my order of free steamed eggs, but this is only where things got a little more interesting..

free

Chaos Ensues

While waiting for our food to arrive, we continued to play the game, leading us to discover that the game had a chat feature:

chatbox

Seeing as though we all work in InfoSec, the typical InfoSec payload war began, leading me to quickly discover that the chat box was vulnerable to Cross-Site Scripting (XSS). However, since the chat is viewable by all players, this meant that submitting a payload caused it to be executed on ALL players devices. The following screenshot demonstrates what occurred after entering a basic XSS payload: <script>alert(1)</script>

xss-executed

This quickly led to a lot of laughs. Especially since this was an unrestricted XSS vulnerability, allowing us to submit whatever payloads we wanted to the application such as redirecting each other to an arbitrary location or potentially causing some chaos by sending JavaScript popups to other customers at the restaurant. However, we held off. The most ‘devious’ we were was submitting the payload <script>alert(document.cookie)</script> to simply see what the result would be:

document-cookie

With Great Power Comes Great Responsibility

In the midst of our chaos, we came to realize what our cross-site scripting payloads had some unintended consequences… Such as bricking the entire game when trying to reconnect. After refreshing the page and attempting to load into the game, we were met with the following JavaScript error:

error

It is important to note that by the time we had finished eating our meal, the game was working again as intended. Thankfully.

Reporting the Vulnerability for Free Steamed Eggs

When our hostess returned, we quickly showed her the screenshot to receive our juicy reward of steamed eggs and inquired who had developed the application. She let us know what it was one of the owners friends in Korea who had developed the application and asked if we’d had any issues with it.

Thus began a lengthy conversation of trying to explain that we worked in InfoSec and had discovered a potential ‘bug’ in the game. While she was more than happy to listen to us, she was not quite sure what to do with this information other than relay it directly to the programmer.

The hostess happily provided us with a piece of paper and told us to write down the ‘bug’ to be sent to the programmer. This is what I ended up writing, while short, and not incredibly detailed, hopefully it helps the developer both identify and remediate the vulnerability:

remediate

Additionally, I reached out to the developer through their website as I observed that every game available was vulnerable to the same cross-site scripting vulnerability. Note, the developer is Korean so thank you @art3m15 for the translations:

support

The World is Your Oyster

This was not meant to be a serious blog post, but just a fun little short story of how I discovered a vulnerability in a local restaurants mobile game. While this is a minor vulnerability, if we had malicious intentions, it could have been leveraged to redirect customers of the restaurant to an arbitrary location or potentially load unwanted code.

As this mobile game is accessible via the web, it’s possible to access this game via your computer and execute JavaScript payloads against customers of the restaurant. Definitely one of the more obscure cross-site scripting vulnerabilities I’ve discovered throughout my career.

While the game was working again within a short period of time, this blog post should also serve as a reminder that your payloads may have unintended consequences. Thankfully, the impact was only temporary and would have potentially saved some eggs from being steamed.