As the title suggests, this post will touch on how me and a few other junior security researchers (also nicknamed AstroSquad) were able to hack or pwn a poorly secured kids game called Animal Jam.
This all started when one of our researchers (psuedo named Moon) looked into Animal Jam, he messed around with the API and told us that there wasn't a rate limit on the RPS (Request Per Second), one of us wrote a script to automate the registration process and made hundreds of bots that joined the game servers which froze players clients. They shortly added rate limit globally to the API. That was only the start, on August 6 2020, another one of our researchers (psuedo named HellSec) found the IP of one of their boxes, we assumed that we couldn't get into it at first, but within a few hours, we managed to pwn the box. Surprisingly there was not much on the box, it was an AWS box and it was the box for the Animal Jam shop (shop.animaljam.com). With a limited time, we made a simple deface page and overwrote it to the index page.
As you can see from the compilation above, they believed we had an apparent "ip logger" and other malicious items, this gave us a notorious reputation as this group of "40 year olds in their mothers basement" that are very "1337", which was not the case. From there, we wanted to test how much the community and the company WildWorks was afraid of apparent fake threats. So around October 2020, we made a threat that we were going to hack Animal Jam on Halloween, the community freaked and made a bunch of YouTube videos with WildWorks putting their servers on lock down. It was the biggest "lawl" for us.
Now that you understand the context before the main pwn; without further ado, let's get into the main pwn. On August 16, 2021, we discovered a 0day "no-auth" full account takeover on Animal Jam. How? simple. A password reset endpoint.
Discovering the vulnerability
Basically, one of our researchers used Fiddler to capture all the traffic coming from the Animal Jam application because he was capturing all the traffic he managed to come across the "/disable" endpoint. Every account on Animal Jam is linked to a certain parent account, and since he got the endpoint for "/disable", he was able to look at the post data (the data that is sent with the post request). He noticed on the post data that you were able to send a custom email in the post data, so he replaced the email, not expecting anything until; he received a email from Animal Jam and funny enough, once he clicked on the disable account link, it automatically overrided the email that is already linked to the account with the custom email you put in.
Only issue with this is that it didn't disable the player, but knowing it did link the account, he searched for other endpoints using Fiddler that had the same post data requirements, until; he found the "/send_password_reset" endpoint. By sending the request, he was able to takeover any players account by sending a post request with the generosity with of course, no authentication at all.
Now we know the vulnerability, how do we use it on a large scale attack? Simple! All we need to do is write a script to send a post request with the post data and the target with a burner email.
- Writing the exploit using python3
Lets start by making a Python script and then importing the request library for sending the post request and sys for argument handling and then supplying the endpoint with the request:
Although it was patched due to the security advisory we released the next day because Animal Jam was having some issues making a patch, here's a gif & an image of us on the AJHQ account; while on the parents dashboard using this exploit.
This company Animal Jam is an example of greed over good security, if any companies are reading this, don't be like these guys, but hey, thank you for reading if you got this far, this is my first blog I've made and Ill be making more very soon and this was funny fun to make, if you enjoyed reading this, go ahead and share it. #HackThePlanet #HTP #TrollThePlanet #TTP