SECURITY
SECURITY
SECURITY
API vulnerabilities in Wordle exposed answers, opened the door to potential hacking
A security researcher has uncovered vulnerabilities in the New York Times-owned online game Wordle that not only reveal the solution to the daily word puzzle but also expose its application programming interface to potential hacking.
Detailed today by David Thompson, a security researcher at Noname Security under the title of “Tomorrow’s Wordle is ‘PWNED!’,” the vulnerabilities were found using Google Chrome’s built-in developer tools. Thompson found the daily answer with the help of a JSON-formatted API.
The path to finding the answer was as simple as visiting the Wordle website, clicking the “network” tab in Chrome’s developer tools, then selecting the “Fetch/XHR” filter option. In the “Requests” cell, clicking on JSON API with today’s date reveals an API GET request. Then click on the “Response” tab and the answer is sitting there in plain sight.
Thompson also found a way to reveal the answer for the next day’s Wordle puzzle by using the command line interface to obtain the .json file for a different date. The editor’s name is also included in the returned information along with the solution.
The ability to obtain the information is described as a common mistake when writing and publishing APIs. In Wordle’s case, the vulnerabilities breach the OWASP API Security Top 10 regarding excessive data exposure and broken function-level authorization.
So the researcher found a sneaky way to find the answers to Wordle — not exactly the end of the world, but in Thompson’s words, next came the scary part. He also found it was possible to change future answers to the puzzle, not to cheat but to create a problem by changing the word to something offensive or inflammatory.
The same vulnerabilities that exposed the answers allow for a POST method to change an item served by an API. At this point, Thompson contacted the New York Times under Noname’s responsible disclosure policy to make it aware of the issues.
“The New York Times might need to change the logic (or permissions) of the backend so that any kind of ‘write’ attempts would not be permitted,” Thompson said. “In the worst-case scenario, they will need to change the application such that the answer doesn’t leave the server until the user answers correctly.”
Image: New York Times
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
