Friday, December 08, 2006

Business Logic Flaws and Yahoo Games

Compelling real-world examples of business logic flaws in web applications are hard to come by. Most of the time we can't talk about specific instances because they’re typically unique to a company and protected under NDA. So when I read the editors article in CSO magazine (A Nation of Cheaters?) describing his experience with a logic flaw in the Yahoo Games ladders, I was immediately interested. Specifically because Yahoo was my previous employer and I was personally involved with situation described.

"A few years back, Yahoo Games instituted an online chess ladder. A ladder system essentially ranks all the players from top to bottom, and you move up by beating people ranked higher on the ladder. Losing (or not playing) slowly lowers your ranking.

I'm a decent player—I won the state championship of Kentucky in my salad days—but couldn't begin to approach the top of Yahoo's ladder. But guess what? The people at the top weren't playing chess at all!

They were cheaters, a closed circle of players passing the crown around by systematically losing one-move games to each other. Player No. 2 challenges Player No. 1, makes one move to start the game, and then Player No. 1 resigns the game and they switch rankings on the ladder. "

This is what we call Abuse of Functionality, "an attack technique that uses a web site's own features and functionality to consume, defraud, or circumvents access controls mechanisms." Most of the time we can't find these issues by scanning, we have to find them by hand, or from customer support when they receive hundreds of calls from pissed-off users because they can't improve their chess rank. There is more to this hack.

There are literally thousands of people (or more) with an amazing about of free time to do the most mundane tasks for the most inane rewards. “Cheating” players would code purpose built programs to bot 100’s of chess games 24x7 simultaneously. They’d sit up late into the evening because every so often the ladder ranks would be reset, and when they did, they’d snatch the top spots. And once they owned a block of the top spots they’d only play within their controlled accounts to rise slowly in ranks. The way the ladder logic worked, “legit” ranked players must play against other equally or higher rank players, and since cheaters wouldn’t play against them, legit players would drop in rank.

All that just to be at the top of the Yahoo Chess games ladder. No monetary reward, no praise, no nothing. Makes you think where else this is going on doesn’t it?


Anonymous said...

i didn't read a word of your article yet, but somehow feel need to immediately post this
a 'short cut' of the above is available at
for $10
and it's also on safari if you already have an account there

i read it yesterday and i would assume its on-topic

Anonymous said...

2 known abuses come to mind:
click fraud (where you click your ads to get more money from google or click the competitor's ads to make him pay more

gold farming (selling online games capital in the real world. this is in fact quite a thriving profession in china