Those |337 Haxxor Skillz Are Finally Paying Off

, , , , , , | Learning | April 24, 2021

Our school’s MFL (Modern Foreign Languages) department has signed up to [Website], which has lots of puzzles and vocabulary testing. [Website] is not particularly well made, and soon, people are finding bugs.

[Classmate #1] finishes a test and clicks “Submit.” The website buffers, and [Classmate #1] clicks repeatedly, at speed.

Website: “You have gained 1,000 out of 100 points on this test!”

This, of course, is shared loudly and excitedly with other students. For that entire lesson, nobody does any work, and instead, everyone utilises the easiest game on the website to gain hundreds of points in seconds.

My friend meanwhile does Computer Science for A-Level. Having recently completed a unit about websites and security, he decides to take a look at the code behind the website. He identifies how, at the end of the puzzle, the authentication key stops changing, letting the website send the points several times. He also identifies the exact request being sent to the website’s database, and writes a line in cURL, which sends a request to the website.

Website: “You now have 1,000 more points than before!”

My friend now sets up a while: True loop repeating the request. (A while loop repeats something while a condition is true, and True is always true, so it does it infinitely.) It runs overnight.

Teacher: “Wow, everyone, I’m impressed! You’ve all clearly done lots of homework; the school has over a million points!”

This would have taken rather longer than we had, but several other schools have several million points. Therefore, my friend declares his intention to reach a BILLION points!

Me: “I don’t think that’s wise. Ms. [Teacher] will notice your absurd score.”

Friend #1: “It’s fine. Everyone else has really high scores from that previous glitch. Besides, the scores reset every month [in about a week].”

Me: “Still, you might get in trouble with the [Website] technicians.”

Friend #1: “The whole website is bad; they probably don’t have much to do. And it isn’t as if I will hurt the server; they will have [technical stuff] in place to stop my requests from overloading the server.”

The program runs fine overnight, but the next day he is disappointed that he “only” earned several million points. Trusting in [Website]’s ability to withstand his onslaught, despite the fact that it has up until this point been coded mostly with Swiss cheese, he sets up a loop that will open his program in new windows. Within a few seconds, he has several thousand windows open and his program almost overloads his own computer, though he stops his program pretty quickly.

Friend #1: *Via text* “I’ve just DOSed [Website]. The police will come to my house now.”

Spoiler: they don’t.

After confirming that I am unable to do my own homework on the website:

Me: “I warned you about loops, bro. I told you about loops.”

However, about half an hour later, the server is back up again, and [Friend]’s own Wi-Fi is immediately destroyed by the server, which sends a reply to every packet [Friend] sent to it. In the meantime, however, he has shared the original loop, which did not crash the program, with a friend of ours with a better connection. It is at this point that a technician notices. Encoded in the replies to the packets the program sends is this message:

Technician: “Oi, matey, I see you. Stop that.”

The technician changes the authentication key which is being used by the program [Friend #1] wrote. Of course, [Friend #2] now knows what to look for and manages to get it running again.

The next morning, [Friend #1] and [Friend #2] find that the entire school has zero points on the accounts. During a lesson that day:

Teacher: “I’ve just received an email from [Website]. It says that several students have been messing with [Website] and that the school’s score has been reset to zero! It also says that [Friend #1] and [Friend #2] are clearly very clever and that they would like to talk to them?!”

[Website] corresponded with the school and my friends for a while; they seemed more impressed than annoyed. They managed to fix many of the bugs, and eventually, [Friend #1] was offered work experience with [Website]!

1 Thumbs
610