Finding Free Tickets, Exploring Aeroflot: Mission 2017

Published on January 15, 2017

Finding Free Tickets, Exploring Aeroflot: Mission 2017

    On the eve of the New Year, scooping up tons of congratulatory letters, I came across an offer from Aeroflot to save the New Year and get 150,000 miles for first place. I remember their past promotions and having a weakness for hacking analysis of such events, I clicked on the link.



    The promo was made in the form of a game, the essence of which was to guess the points on the map using the Google StreetView image and get all the points for it, the number of which is proportional to the accuracy of the answer. For everything, everything is given 6 minutes. Between rounds, it is also proposed to catch / leave gifts and fly on an airplane for extra points. Six minutes can be increased to ten by correctly answering quiz questions. For good results give a fair amount of miles.

    After scanning the directories (to calm my soul) and not finding anything interesting (except phpmyadmin sticking out on the Internet), I proceeded to analyze the game itself.

    1) The first thing that I found was a Replay attack. A round is not marked as played and the same request can be sent endlessly, I get a profit.

    for i in {0..50}; 
      do torify curl 'http://mission2017.aeroflot.ru/ajax/round' --data 'val1=49&val2=9&game=563058&round=4974078&atype=map' & done;
    

    However, this vulnerability was quickly closed.

    2) Mini-games implemented all the logic on their side. And only the results were sent to the server. Accordingly, these requests could be modified and fly hundreds of thousands of kilometers on your airplane.

    3) The quiz until the end of the promo was vulnerable to Replay attacks. So you could cheat yourself time for the game. The disadvantage of this method is that, according to the logic of the creators, it is impossible to dial more than 10 minutes of time, so the result would be knocked out of an even list of ten-minute ones.

    4) But all of the above are hacks that can be tracked and punished for them. So it's time to write a bot! The game script is a good non-obfuscated code, with fairly clear naming of functions and variables. It is noteworthy that in response to the request, the correct coordinates came to / ajax / round. This circumstance allowed us to map each url of the panorama to the coordinates.

    map = {"https://www.google.com/maps/embed/v1/streetview?pano=_EjgB69lOpQheNB4ldZWsA&key=AIzaSyAdpt2jitUXkLd8NtkNQ_Ee6THUA_DZ-K0" : {lat: 40.62, lon: 22.94},
     "https://www.google.com/maps/embed/v1/streetview?pano=oIMBbAJeLJfwiwNtgiVl-g&key=AIzaSyAdpt2jitUXkLd8NtkNQ_Ee6THUA_DZ-K0" : {lat: 22.27, lon: 114.16},
     ...
    }
    

    All further remains just a matter of technology: we define a new function through the developer's console, which automatically answers all questions correctly with some error and delay, skips or sends good results based on the results of mini-games and allows you to answer the quiz in manual mode. In principle, the quiz is automated, but it was just too lazy to implement.

    It should be given to developers (and maybe to moderators), they had a good antifraud and all dubious participants were banned. I could not find out all the parameters by which the analysis was performed on the fraud, but I know two of them: speed and accuracy of the answer.

    True, these mechanisms are not enough to adequately cut off bots. Which in my opinion and displays the final rating of the promotion.

    The first three vulnerabilities are purely logical; there are not enough checks and tests. But there remains the problem of botany, which must be addressed. Here are the minimum measures (almost tracing paper from the blog ) that would cut off most of the bot drivers and make the world cleaner:

    1) STO - Security Through Observation, cuts off lazy students. Obfuscation and encryption is our everything!
    2) It is a bad idea to return to the participant the coordinates of the correct point in its pure form. The problem can be solved in different ways: return the result in the form of an image or a mask above it, convert it to another coordinate system with less accuracy.
    3) Add more client-server interaction, such as keystrokes, moving the cursor, clicks. This measure will complicate the writing of bots for mini-games and add data for the reverse Turing test.

    Point three is certainly expensive and complicated, and there is hardly any place for him in the world of promos, but I would not begin to neglect point two, let alone measure one, given the amount of funds created for these purposes.

    PS All the actions that I performed are of a research nature, and I hope the conclusions will serve as a warning to the developers of the promo.