API vulnerabilities in Wordle exposed responses opened the door to potential hacking
A security researcher has uncovered vulnerabilities in the New York Times-owned online game Wordle that not only reveal the solution to the daily word puzzle, but also expose the application programming interface to potential hacking.
Detailed today by David Thompson, a security researcher at Noname Security under the title “Tomorrow’s Wordle is ‘PWNED!’,” the vulnerabilities were found using Google Chrome’s built-in developer tools. Thompson found the daily answer using a JSON-formatted API.
The path to finding the answer was as simple as visiting the Wordle website, clicking the “network” tab in Chrome’s developer tools, and then selecting the “Get/XHR” filter option. In the “Requests” cell, clicking on the JSON API with today’s date reveals an API GET request. Then click on the “Response” tab, and the answer is there in plain sight.
Thompson also found a way to reveal the answer for the next day’s Wordle assignment by using the command line interface to get the .json file for another date. The editor’s name is also included in the returned information along with the solution.
The ability to obtain the information is described as a common error when writing and publishing APIs. In Wordle’s case, the vulnerabilities breach the OWASP API Security Top 10 regarding excessive data exposure and broken feature-level authorization.
So the researcher found a sneaky way to find the answers on Wordle – not exactly the end of the world, but in Thompson’s words, then came the scary part. He also found that it was possible to change future answers to the riddle, not to cheat, but to create a problem by changing the word to something offensive or provocative.
The same vulnerabilities that exposed the responses allow a POST method to modify an element served by an API. At this point, Thompson contacted the New York Times under Noname’s responsible disclosure guidelines to make it aware of the issues.
“The New York Times may need to change the logic (or permissions) of the backend so that any kind of ‘write’ attempt would not be allowed,” Thompson said. “In the worst case, they need to change the application so that the answer does not leave the server until the user answers correctly.”