14 DAY TRIAL // A security researcher has identified multiple vulnerabilities on ESPN's Fantasy Football website, which enables players to make unauthorized changes to their opponents' teams.
In fantasy sports games like Fantasy Football, the participants build virtual teams by drafting real players at the beginning of a season.
The weekly real life statistics of those players influence the virtual team's "fantasy points," which are needed to play against other participants.
Google security researcher Billy Rios, reveals on his blog that soon after he joined a fantasy football league at the request of his friends, he began discovering security holes on the website.
"As I navigated the fantasy football website to find a replacement player, I came across several interesting issues.
"There are some issues that allow me to cheat and win (dropping arbitrary players from another teams roster, modifying another teams starting lineup)," he says.
It seems the fantasy football application fails to properly check for authorization when receiving requests to perform certain actions. An attacker can exploit this weakness by manipulating confirmation URLs.
Rios used the bug add a rogue player to one of his opponent's team. Once the other person realized the change, he dropped the player, only for the security researcher to add him back.
In fact, the second time around, Rios actually traded a legit player from his opponent's team roster for the rogue one.
"Trading from waivers/free agency is a bit more complicated and the query string is a bit more complicated, but the overall gist is the same," he explained.
The researcher didn't name the Fantasy Football site and only said that it's "probably the largest provider in the US." However, according to The Register, it's ESPN.
Unfortuntely, with some Fantasy Football players placing bets on the outcome of these virtual games, flaws like these could be exploited for financial gain.