CBSSports.com Vunerabilities

I want to start by thanking the folks at CBS Interactive and CBS Corporation for working so diligently with me on remediating the issues I discovered, and for responsibly disclosing these issues.

I am unlikely to ever play in the NFL.

I am less likely to ever play in MLB.

So, instead I play fantasy sports, and I play primarily on CBSSports.com.  It is the site my friends were using when I joined their leagues, and haven't seen a need to change.

Last year, I discovered a few unintended features within the CBSSports sites. It started when I realized that I could CSRF the Trade and the Add/Drop functionality.  After a little more digging, I realized I didn't need to CSRF the trade functionality... Instead I could simply initiate a trade on another teams behalf.  

You would think that knowing this I should have won my league.  Personally, I blame this epic fail on Cam Newton's slow start and Brandon Lloyd's cement hands. 

 

Mrs. Newton's favorite player. 

The folks at CBS Interactive and CBS Corporation were kind enough to take a look at the issues I had discovered, remediate these issues, and keep me involved during the entire process.

Of course, I couldn't leave well enough alone, so I took another look at the site and realized there were a few other issues that should be looked at.  

I am not sure about your league, but our league utilizes a lot of smack talk. 

Smack Talk (smak tawk): 

The art of telling another person off, belittling them or calling their momma fat, while in the heat of competition.

CBSSports sites have a number of ways to accomplish this, one of which is the Live Scoreboard Chat functionality.  Fortunately (or unfortunately, depending on your point of view), I found a way to submit chat posts on behalf of other teams.  It really made the conversation devolve quickly, as seen below.

 

Sorry, this is a family friendly blog. 

Lastly, I discovered an issue where I could update my "On the Block" section with players I don't even own.  It is kind of like trying to sell someone the Brooklyn Bridge, but instead of a bridge it is Mike Trout.  The deception won't last long, but is likely to give the Trout owner a heart attack.

So, feel free to take a look at the disclosures, and if you notice anything else, please let the fine people at CBS know (security.incidents@cbs.com)!

CBSSports.com Horizontal Access Control Bypass (Trades & Add/Drop)

CBSSports.com Cross-Site Request Forgery

CBSSports.com Horizontal Access Control Bypass (Scoreboard Chat)

CBSSports.com Horizontal Access Control Bypass (Trading Block)

 

Christopher Emerson