Do you love chew? A Tale of Browser Hacking

by Stephen Fluin 2012.02.05

One of my friends built a site called I Love Chew. On this website, you can click repeatedly on the piece of chewing gum or visit sites in the high score list to get additional points. Each day, the top visitors get their own website listed in the list, and should notice a small influx of traffic, as other users are incentivized to visit them.

Technical Analysis of the Game, and a bit of Hacking

The Site is built in PHP and relies heavily on AJAX calls for data population and for user interactions. A quick peek at what goes on behind the scenes reveals that each click on the piece of gum triggers several events.

  1. A new piece of gum is loaded.
  2. A sound is loaded
  3. (Occassionally, a call is made to the following:
    1. newupdate.php
    2. updatescoreboards.php
    3. gethighscores.php

An analysis of the parameters used in each of these calls reveals that the image, sound, and scoreboard calls are likely non-functional in nature, and have no impact on the score. It appears that the main call is to newupdate.php. Looking deeper at the conditions of this call reveal that it isn't triggered with every primary click, but seems to occur randomly, and when the user clicks on "submit". Looking at the parameters shows that several arguments are passed in.

chews is the number of chews we are reporting (we want to maximize this if possible), uniqueid seems to be a tracking variable. This does not change with repeated calls, so we can most likely leave this alone. Name and URL match the data I attempted to submit, and bonusnum is nonzero only when clicking on one of the bonus links. The request only contains Google analytics cookies (not even a standard PHP session ID), so we can safely surmise that this is not used as part of the tracking.

Looking at the included javascript file, we find that the submit button is hooked to two javascript calls:

slideFormDown(); updateMyStuff();

We may be able to use these to submit our fake results. We also find that the main image has a click function that calls handleClick();. I opened up the console to see if this was the key to our cheat. It was, but it was also UI-heavy. A further investigation of the screen showed that the key variable that I could modify was lastCount. Modifying this variable and then handling my stuff again resulted in a ratelimited increase to my score. The best I could do based on the available security measures.