All about Mobile, Web, Technology, Politics, Security, E-Commerce and Living in the Philippines.

Thursday, February 26, 2009

I Will Hack Food - J0L1BU6 G0t H4X0R3D! (Jollibee got hacked)

I got home early today so I could attend the meeting tomorrow and as usual I got bored... and when I get bored something phun gets posted here. Hehe.

So I recently found out about this promo-game in Facebook called "Jollibee Sulit Sarap Challenge" wherein the top scorer for the week gets a P500 Gift Certificate from Jollibee (fastfood)... and it just hits me. I will hack for food! LOL

So I visited the application page and added it to my Facebook account then figured out the kung-fu behind it. As it turns out, its so bloody easy to hack -- less than a minute!

FireShot capture #1 - 'Facebook I Jollibee Sulit Sarap Challenge' - apps_facebook_com_jollibeegameapp_topScorers_php

OK First of all this is just harmless fun, I did not break any security scheme doing this.

Now I feel like a lowly script kiddy for doing this and its LAME so I won't even bother to redeem my hacked fast food. LOL.

But seriously, the guys who pitched this to Jollibee clearly wasn't thinking straight.

Guys IF I were seriously going to P4wN you I could have made my score just always above the rest and not put 73337 as a score. So take this as a free advice and better pull that game out until you fix the boboo -- but better make its good because IF I get bored again, I will come back and play to see IF you have learned the kung-fu.

Neo: I know kung fu.
Morpheus: [eyeing him, hand on chin] Show me.


UPDATE 2/26 - 1:33 PM

I got an email from the devs:

FROM: Jay Anthony Chiu

Good morning Mr. Filomeno!

We've read about your blog about the Jollibee Hack (link:, and we appreciate your concern. We actually have seen this when we had our internal tester hack into it, and we are currently working on a resolution for this.

But for the meantime, I hope you would be able to put down your blog entry about this matter.

We hope for your cooperation.


Take it down? Seriously its too late, here is my reply:

Hi Jay,

Is teamyehey = Yehey!?

I didn't realize that and would have contacted you guys straight regarding the matter, i guess i was too sleepy at 4AM in the morning to dig more about it. I could take down the post but its aggregated to 2 dozen other splogs and bots out there and it wouldn't make a difference anymore by this time. As you guys work with SEO you do realize that when the source link is taken out the, aggregating site takes the highest authority on the subject thus updates (when you guys fixed it) to the original article wont be reciprocated anymore. Such that searches to "Jollibee Hack" would show the aggregating sites as top result and not the original post with updates with the fix .

Anyway I have made sure not to disclose the exploit vector on the post and only that its possible and its just easy for my level.

Finally, im sure it would only take 15-30 mins to fix the exploit vector, let me give you guys tips.

1. Never trust user input - hash the submitted data so that if tampered the hash will invalidate it. A hash with salt plus arbitrary padding data makes it almost impossible to figure out and crack the hash.

2. Use AMF - its a native Flash communication transport, by itself its not very effective but will protect the data from prying eyes like proxies.

3. Encrypt the entire data sent - SHA1 will be good enough and very simple to implement.

Did I make sense on the reply? What do you think guys? Will a take down really help fix it or just hide the fact that it has problems without giving users warning that the system is being gamed. Surely I'm not a hypocrite enough to say I'm the only one who can do this. Send feed backs on the comment and I'll decide later this day if take a down is necessary.

Finally, my hi-score has already been taken out from the database (thank God), but I do hope they really fix it soon coz I'm getting hungry :D


pro said...

bad Goodie.. bad.. hahahaha!

anyways, i just hope whoever wrote the app will learn something.

are you sure you don't want the P500 gift certificate? lol.

Chameleon Whitesilver said...

fooood... hahaha ayaw mo? cge pro, hati tayo... hehehe

but joking aside, they really should check that security thing... dapat man lng nagtest muna sila ng loopholes on the scheme before making it online...

or else it would be those who found that out, mostly tech people, who will redeem the FOOD... hahaha

myvideoke said...

you are the man!!!

Mr. Emil Jaranilla said...

Hey sir godie! ang galing mo talaga! mas naiinspire ako maging developer kesa sa designer which is my hobby ryt now..:)the best developer tlga! hhe..:)

Related Links