Feeds

Flaws on ESPN Fantasy Football site make cheating a snap

Game fixing trivial

Internet Security Threat Report 2014

ESPN's Fantasy Football site is riddled with flaws that allow players to rig games, a security researcher says.

The online contest allows players to pretend they are owners of American football teams as they compete against other imaginary owners to pick a winning lineup from real-life members of the National Football League. As the season progresses, the fantasy teams rise or fall based on the performance of the real-life football stars. Many participants play for fun in leagues made up of friends or colleagues, but it's not uncommon for players to compete for money, too.

Playing for cash on ESPN's site might not be such a good idea, according to security researcher Billy Rios. He says it's trivial for anyone with an account to make changes to other players' teams simply by manipulating the text strings in their browser's address bar.

“Anyone can add, drop, or trade players for any other team (not just in your league) by making some changes to the URL,” he tells The Reg. “You just have to get the correct playerID and change one value in the query string. I didn't use any special tools and anyone can do these changes straight from the browser.”

Rios explains here how he used the technique to force a rival player's team to accept Rex Grossman, a Chicago Bears quarterback whose on-field performance has won him the title of kid suckiness from one sports pundit. (Out of fairness, Rios added the player to the rival's bench, not the starting lineup, and then sent an email purporting to come from Grossman saying “put me in coach!”)

Rios, whose online moniker is XSSniper, says he's notified ESPN of the glitch. ®

Remote control for virtualized desktops

More from The Register

next story
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
BT said to have pulled patent-infringing boxes from DSL network
Take your license demand and stick it in your ASSIA
Right to be forgotten should apply to Google.com too: EU
And hey - no need to tell the website you've de-listed. That'll make it easier ...
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.