Hi, OP here! Thank you all so much for the positive commments. To give some background: I'm a 17 year old student in the UK doing my A-Levels, still deciding what uni to go to and looking for degree apprenticeship options! You can checkout my github profile here -> https://github.com/Jayy001 (I'm one of the core members behind HashPals, creating Search-That-Hash as well as being a maintainer for the open-source repository of free software for the ReMarkable tablet)
I did a degree apprenticeship at a FAANG company and was lucky to transition into a full time role there. It heavily depends upon the company, however my advice is that an apprenticeship at a well respected company goes much further than uni (bar Oxbridge) in terms of immediate job prospects.
I'd be very happy to talk more about this w/ you - email in my desc.
sorry, endofreach, i'll continue to call it Meta or Facebook interchangeably. One is company's legal name, and the other is its major product.
As for the evilness, i will not argue. Everyone is entitled to their opinions.
For the OP in question, Facebook will provide the best career launch pad, so i will continue to suggest that. I have been to Google and Facebook, so can compare the two.
They do, yes. There are some rules around the attribution, like if recruiters have reached in some capacity in the past xx months without an outcome, you may still not get an award, I believe.
Back when my sole internet experience was playing (losing) every match on Chess.com as a "volunteer librarian", I'd often inject awkwardly escaped characters, closing tags, common quirky control strings, and even OLE objects into the live Chess.com games.
Eric (founder) had politely asked me for a more formal audit (to which I declined, not wanting to out myself as an 11 year old script kiddie) but I did explain the RegExp needed for the chat room censor and we tackled the ultimate problem; how to detect cheaters in asynchronous environments.
After consideration I informed him the only way to possibly detect cheaters is to compare every (game-significant/high-mu) move made against the known optimal moves from engines, and use statistical inference to discriminate good humans from cheaters.
Of course, at the time, this was laughably unfeasible - which was the answer we had concluded on. But for a barely out of elementary kid to discuss those kinda nuances with a legit webmaster (Hello Eric!), it is one of my more favorable internet memories.
Any detection scheme based on extra information from the client could be defeated by running the chess engine on a separate computer. A human typing in their next move is indistinguishable from a human copying a move from an airgapped chess engine. Therefore, the only information that can be used to tag cheaters is the moves themselves.
That is all "synchronous" - the heuristics available in the meta-game itself.
Back then the document object in javascript were way to powerful because everyone was so naive.
Internet Explorer knew/could easily infer its absolute coordinates from the origin on the desktop, would gladly serve the majority of your C: drive to any website that asked nicely enough, and a plethora of now-incredulous things.
It was possible to know if you had moved the window by dragging or by Cascade windows, had another window (this was before tabs were invented) that was being referenced nearly every turn, or even if the user had referenced an application from the Start Menu.
That was all the stuff that "wasn't" supposed to be done. The obvious, yet cat-and-mouse tricks, such as mouse/keyboard jitter, fingerprinting profiles, style/chat stylelemoetry, behavior meta-game analysis, were in their relative infancy, but were making strides.
My ex-wife managed the security team at MySpace from about 2006 to 2008. The really wild part was when she went online to the MySpace hacker forums to see how the days’ work had gone. The insistence on allowing users to put HTML onto the site was a huge problem. These days, I think the solution would be to do a proper parse of the HTML input and remove forbidden attributes and tags, but back then it was handled via insanity with regexes.
It used to be that the only programs capable of somewhat correctly parsing HTML were web browsers, each one of them produced different results, most weren't open-source, and none were reusable as libraries. If you wanted to parse HTML in... looks up what MySpace was written in... ColdFusion, you were all out of luck. Since then people spent years developing specifications and writing the libraries, so now it's not a big deal.
You could identify that as not a valid tag in a single pass and know that you should escape the < and > on it.
For the implementation all the real HTML tags should be generated by the formatter and not originate from the original input. When formarring the valid tags get deleted from the input and everything else is properly HTML escaped.
As a primitive example imagine that the only HTML tags the formatter is able to output is <b> and </b> tags alongside HTML escaped text. That means it will be impossible for a script tag to ever be outputed by the formatter.
I wonder how many passes it needs at all. I mean, if you <scr<scr<scr<script>ipt>ipt>ipt> as many times as possible, you'll end up with a xss. Removing < and > at all would be the safest solution.
Hmm, I don't think this is related but I've personally witnessed (and even recorded) other people making MY moves in chess.com games and also I've been served up a game in progress and I've been able to make moves when I shouldn't have been able to.
There are plenty of threads about this too if you Google it. No idea if chess.com have fixed this in the last few months, but they didn't want to listen when I tried to report it.
All these games were when I was not logged into the site. It's never happened to me whilst logged in, but I don't play chess that often as it's no good for my blood pressure!
Sorry, I don't understand. When you wrote people are "making your moves" do you mean they are substituting your moves with their own in a game? Or that they are mirroring moves from one of your games into their own game? Or something else?
I was expecting this to be more nooby based on the title. But instead they built an exploit that bypassed multiple input validation stages with clever hacks. Even going as far as to setup sub-domains to resemble the base domain. I'd not have expected this to work and found it neat in itself. But I guess seeing how complex domains are to parse with regex makes it easy to miss things (or maybe it was just something like a: '... in variable' check, idk.)
Author knows their stuff. I admire how much dedication that kind of craft takes. Spending so much time to get further along. Would make for an interesting career.
The first exploit of friending profile visitors was pretty simple at least, and also the title is a pun. But then it got very complex going for a full XSS.
Great writeup OP! And good luck on your hacking journey. Just in case you haven't come across this yet, when you find parentheses being filtered/encoded in a payload like alert(1), try alert`1` using backticks. Some great resources if you want to take your JavaScript injection to the next level: Brute Logic's XSS cheat sheet and Gareth Heyes's Javascript for Hackers. Some people roll their eyes at cross-site scripting but it's still very powerful and very widespread (and as plugin-baby pointed out, especially when session cookies aren't flagged as HttpOnly, eek.)
Very cool. I love seeing bug bounty write-ups, especially XSS. They always seem so easy to find (but that's just confirmation bias, I don't get to see the hours of testing and rabbit trails that go nowhere).
In my experience they are usually found after finding something weird by accident. Then the real challenge is to exploit that flaw (in this case with the text editor).
The part about the rich text editor being a "holy grail" is funny. Chess.com is a big website, but I always see those editors and other extra fancy features on random old forums and wonder if the site is Swiss cheese. Anyway, great writeup!
> During the bug-bounty report & triage, the developers tried to implement a block because when I tried to reproduce it again for them, it came up with the following error message ...
Clearly chess.com was using something like "starts with" to process the re-upload. Basically don't re-upload if it starts with https://chess.com, but filter out if it starts with https://chess.com/registration-invite
Typically same origin policies are relaxed for things like images by default [0]. So they came up with a trampoline, they created a chess.com.theirDomain.tld to get past the re-upload filter, which in turn returned a redirect, which the browser followed.
OP Here - Like the others have said, it wasn't a proper same-origin check. We'll never know for sure how it was handled beacuse it was all done server-side but I'm guessing it was something like an if in statement on the FQDN, hence why I was able to get away with pointing it to my own domain.
It wasn't a proper same-origin check - the server code was checking to see if the image was hosted elsewhere, and if so, it would download and self-host it. The code to check if it was on `chess.com` probably just checked to see if the domain included that string, because laziness.
it sounded server side code allow-list the source, so it was probably just doing a string prefix check. the code to make the friend relation doesn't happen in the browser
Google did not like me setting up a chess.com subdomain, and a couple of weeks later, my domain got flagged for "phishing." - I had to contact them to explain and manually remove it as it affected my whole domain.
What? Google’s domain registrar will close your account if you have a subdomain which just happens to be named another website?
OP - I'm honestly not sure what happened, it could be just based on the naming or something else to do with it. Either way, when I visited it, Googles Safe Browsing alert popped up with "Deceptive site ahead - recentley detected phishing".
This is a newish _Chrome_ feature (within the past 2 years) that Google rolled out. Any subdomain that looks like a domain (especially ending in a common TLD) will trigger that warning.
I learned that because, at work, I architected a system for serving certain assets for customer sites at a subdomain off a shared root domain, keyed by their full domain (like example.com.example.org—where example.com is the customer’s site domain). We ended up changing to example-com.example.org which is far better anyways since this feature started breaking stuff once it rolled out.
But this is a Chrome feature and should not affect your rankings themselves. But couldn’t hurt to take it down just in case.
Just to clarify, the PHPSESSID cookie was HttpOnly - I could extract the new value because I had overwritten it. Most of the cookies were set correctly (thankfully) however there was a lot of SPII stored in JS variables which I was able to get.
I and many others find the UX to be worse, the tutorials/lessons definitely way less interactive (usually consist of just a text dump) and the sheer number of games where the opponent doesn’t make a single move to be extremely frustrating.
It’s also impossible to discuss anything related to chess.com on here or Reddit because lichess people tend to downvote and brigade anyone who doesn’t praise it.
UX is probably a matter of habit, I for one find the chesscom UI unintuitive and I can never find what I'm looking for, but Lichess certainly also has its problems.
The free and (to me) intuitive analysis tools on Lichess are the killer feature for me.
I very much disagree. Chess.com has analysis being more human-readable, the Lichess graph of move strength is amazing for zooming in to your major gamechangers.
The people I've met from chess.com were straightforward and focused on their craft. The product they work on doesn't seem to hurt anyone and I haven't see any exploitation common to tech companies. I heard they don't pay Bay Area salaries, which is probably makes them more sustainable over the long-term.
I wonder if the peaceful co-existence of lichess and chess.com co-existing somehow disturbs some esoteric ideology.
Their website also came out at a time when it was common for competitors like ICC to charge people to play chess online, chesscom being his huge well featured free website helped push forward the popularity of online chess, and their for-profit model is what allows many of the aforementioned streamers to make a living.
I don't hate lichess but I hardly see chesscom as evil.
> for-profit model is what allows many of the aforementioned streamers to make a living
The streamers will be fine. Eric Rosen is one steamer who refuses to sell out to chess.com. Chess.com is beginner friendly but not fee, doesn't even let you analyse your games properly without a subscription.
I do see harm in it, considering their competitor is a non-profit which has done great things for the chess community. Including open sourcing many things like icons and webassembly chess engines.
I just sort of see Chesscom as expanding the chess market overall more than it's constraining the expansion of lichess. I'm pretty sure many of the people who eventually make their way to lichess end up at chesscom first.
chess.com's popularity is derived from their SEO and twitch. They have a deal with nearly all chess twitch streamers which forces them to only play on chess.com and prohibits them from saying anything negative about the platform.
Combine that with their competitor being a non-profit organization which has created numerous open source[1] chess tools like engines, icons and boards and I would call them pretty harmful.
Lichess has quite decent interactive tutorials these days, although not as interactive as the named bots at chess.com.
Personally never had issues with people rejecting games on lichess.com. But lichess is a non-profit that has done great things for the world of chess and open source and open source chess. You'll find almost all better players there, with the exception of those who are payed by chess.com to only play on their platform. Part of the reason is that chess.com has some latency issues.
It's hard not to like lichess, considering their competitor needs to pay dozens of twitch streamers to stay on top, and require you to pay for a subscription just to have a decent game analysis.
I play short time controls like blitz in lichess. But for rapid I prefer chess.com as lichess has too much cheating. I find lichess UI/UX better and faster than Chess.com.
"None the wiser" is indeed an appropriate username! Please, tell us, by your snark I can assume you're most displeased with this collection of adjectives. But which ones in particular and why?
Do hippies frighten you because they represent a more egalitarian and prosperous ideology than your narrow minded brain can conceive of?
Do communists make you quake in your boots because you don't believe you could get on in a society where you might not be able to solve all of your problems with money? indeed, imagine if you might have to rely upon people liking you; I also fear for your ability to get on.
Is it the "drug fueled" portion, because you perhaps feel some right to tell other consenting adults (whom probably know much better about their bodies and their own lives than you do about yours) what to do on their spare time?
Or are you waking up to the fact that we, as a society, are becoming more secular[0], and thus you see the advance of atheism as an attack against the institution of your personal sky daddy?
And these are all reasonable things to think of you, since you only wave vaguely at a collection of adjectives while expressing some nebulous form of disdain. Perhaps either clarify the nature of your disagreement, or continue to persist in the shadow of intellectual doubt and fear you appear to be laboring under... which is a disease very common to people who appear to believe as you do.
I love this comment! It exposes all the hate. I wish I had the ability to respond like you. Good writing! (oh and if I wasn't clear, I agree with you. OP needs to back it up, examine himself, and stop trying to control or hate others)
Perhaps, but then again, I find that typically only people who find those terms odious would care enough to quote that particular passage from the github and then refuse to elaborate on their own personal opinion of it. I also find that people who engage in such hit and run tactics are, typically, not very courageous in their own beliefs, or they'd be full chested about it.
Thanks for the warning. My male cousin tried playing on Lichess once. She now wears knee-high socks and listens to catgirl-emo music while puffing “the reefer” and praying to Karl Marx
It's painful to play on lichess due to wide spread cheating and people opening new accounts. I've been playing on chess.com as a paid user and having much better experience. I don't know what changes chess.com made in the past year but they are definitely moving in the right direction.
