12 November 2023
While a friend from our DEFCON group was visiting town, we decided on his last night to visit a local Korean Barbecue spot. Little did we know, there would be a side quest involved which would result in a legendary story.
When being seated at our table, the hostess informed us that they had recently worked with a developer to create a web-based mobile game, where if you reach the end prior to ordering, you could win a free side of steamed eggs - typically a $10 menu item. This game could be accessed by scanning a QR code at the table.
The game itself is straightforward with some cursed controls which make it significantly harder than it should be. It’s a simple platformer with Roblox-like character models and two controls, one to move the character, the other to jump. The fidgety controls come into play when you try to move and jump at the same time. It’s impossible. The game will only take one input at a time, meaning that you must jump and then move your character in the air to ascend to the next platform.
The following screenshot demonstrates what the game looks like, note, it’s pretty neat because they have a decent 1:1 of the surroundings, outside, and inside of the restaurant:
After learning the controls and finishing a hardcore gaming session, I was able to successfully navigate to the finish line and receive my order of free steamed eggs, but this is only where things got a little more interesting..
While waiting for our food to arrive, we continued to play the game, leading us to discover that the game had a chat feature:
Seeing as though we all work in InfoSec, the typical InfoSec payload war began, leading me to quickly discover that the chat box was vulnerable to Cross-Site Scripting (XSS). However, since the chat is viewable by all players, this meant that submitting a payload caused it to be executed on ALL players devices. The following screenshot demonstrates what occurred after entering a basic XSS payload:
<script>alert(document.cookie)</script> to simply see what the result would be:
It is important to note that by the time we had finished eating our meal, the game was working again as intended. Thankfully.
When our hostess returned, we quickly showed her the screenshot to receive our juicy reward of steamed eggs and inquired who had developed the application. She let us know what it was one of the owners friends in Korea who had developed the application and asked if we’d had any issues with it.
Thus began a lengthy conversation of trying to explain that we worked in InfoSec and had discovered a potential ‘bug’ in the game. While she was more than happy to listen to us, she was not quite sure what to do with this information other than relay it directly to the programmer.
The hostess happily provided us with a piece of paper and told us to write down the ‘bug’ to be sent to the programmer. This is what I ended up writing, while short, and not incredibly detailed, hopefully it helps the developer both identify and remediate the vulnerability:
Additionally, I reached out to the developer through their website as I observed that every game available was vulnerable to the same cross-site scripting vulnerability. Note, the developer is Korean so thank you @art3m15 for the translations:
This was not meant to be a serious blog post, but just a fun little short story of how I discovered a vulnerability in a local restaurants mobile game. While this is a minor vulnerability, if we had malicious intentions, it could have been leveraged to redirect customers of the restaurant to an arbitrary location or potentially load unwanted code.
While the game was working again within a short period of time, this blog post should also serve as a reminder that your payloads may have unintended consequences. Thankfully, the impact was only temporary and would have potentially saved some eggs from being steamed.