He noticed on the post data that you were able to send a custom email in the post data, so he replaced the email, not expecting anything until he received a email from Animal Jam and funny enough, once he clicked on the disable account link, it automatically overrided the email that is already linked to the account with the custom email you put in. Every account on Animal Jam is linked to a certain parent account, and since he got the endpoint for “/disable”, he was able to look at the post data (the data that is sent with the post request). A password reset endpoint.īasically, one of our researchers used Fiddler to capture all the traffic coming from the Animal Jam application because he was capturing all the traffic he managed to come across the “/disable” endpoint.
WELL KNOWSN ANIMAL JAM HACKERS FULL
On August 16, 2021, we discovered a 0day “no-auth” full account takeover on Animal Jam. Now that you understand the context before the main pwn without further ado, let’s get into the main pwn. So around October 2020, we made a threat that we were going to hack Animal Jam on Halloween, the community freaked and made a bunch of YouTube videos with WildWorks putting their servers on lock down.
From there, we wanted to test how much the community and the company WildWorks was afraid of apparent fake threats. [ As you can see from the compilation above, they believed we had an apparent “ip logger” and other malicious items, this gave us a notorious reputation as this group of “40 year olds in their mothers basement” that are very “1337”, which was not the case. With a limited time, we made a simple deface page and overwrote it to the index page. Surprisingly there was not much on the box, it was an AWS box and it was the box for the Animal Jam shop (). That was only the start, on August 6 2020, another one of our researchers (psuedo named HellSec) found the IP of one of their boxes, we assumed that we couldn’t get into it at first, but within a few hours, we managed to pwn the box. They shortly added rate limit globally to the API.
WELL KNOWSN ANIMAL JAM HACKERS REGISTRATION
This all started when one of our researchers (psuedo named Moon) looked into Animal Jam, he messed around with the API and told us that there wasn’t a rate limit on the RPS (Request Per Second), one of us wrote a script to automate the registration process and made hundreds of bots that joined the game servers which froze players clients. As the title suggests, this post will touch on how me and a few other junior security researchers (also nicknamed AstroSquad) were able to hack or pwn a poorly secured kids game called Animal Jam.
0 kommentar(er)
