Researchers are split on whether someone could hack into the New York Times’ massively popular game Wordle and change the daily word users are forced to figure out.
But Thomason’s post goes a step further – surmising that not only could a hacker see the list of future Wordle answers but that someone could even change the answer to anything they wanted.
“I also realized that it may actually be possible to change future answers to the puzzle. Not to cheat, but to create a problem by changing the word to something offensive, or inflammatory,” he wrote.
“My experience tells me it might be possible to use a POST method to change an item served by an API. Why do I think this? When the GET method is easily accessible, function-level authorization is broken, and authentication is not present (it isn’t with Wordle), it’s not a stretch to guess this is possible.”
Thomason said it would be easy to test this but would require someone to guess the “primary keys” needed to change the record – something he believes could be done “in a matter of hours if not minutes.”
He decided against testing this because he did not want to break any laws and thought it was better to simply submit a responsible disclosure notice to The New York Times. His team also reached out to the newspaper giant in other ways to notify them of the potential issue.
Thomason said it would be difficult to know how The New York Times might fix an issue like this without knowing how the backend of the game is constructed and whether the daily words are stored in a database or text file. If it is simply a file, the fix would require some re-architecting of the application.
The New York Times might “need to change the logic (or permissions) of the backend so that any kind of ‘write’ attempts would not be permitted,” he wrote.
“In the worst case scenario, they will need to change the application such that the answer doesn’t leave the server until the user answers correctly. Or until a user misses on the sixth attempt,” he said.
A spokesperson for The New York Times denied that anyone would ever be able to change the daily Wordle. The game is played by nearly 300,000 people each day, according to the newspaper.
“We’re aware of the analysis that NoName published, as they also provided it to us through The New York Times’s vulnerability disclosure process. This is not a security vulnerability, it is part of the architecture of the Wordle game,” the spokesperson said.
“We appreciate the outside security analysis, thank NoName and their security researchers for their participation and engagement with Wordle and encourage continued participation in our VDP.”
Mike O’Malley, chief marketing officer at Noname Security, said they never heard back from The New York Times but were glad that the newspaper is aware of the problem and does not think it is a security issue.
Noname Security’s primary concern was that the issue may have “slipped through the cracks,” but O’Malley said it was clear that the newspaper “takes cybersecurity seriously.”
“We specifically alerted the New York Times because we were concerned someone might be able to use their API in a slightly different manner to actually CHANGE the answer. We thought it would be possible but didn’t go any further, and instead reached out to the NYT,” O’Malley said.
“If the NYT thinks that it’s not possible to change the password through the API, then we couldn’t be happier that they have secured this potential attack vector.”
Experts largely backed The New York Times assessment that changing the daily Wordle through the method described by Noname Security would not work.
Thomas Whitmire, senior adversarial engineer at LARES Consulting, said the API allowing an unauthenticated GET request to return the answer may be a fundamental function of the API.
“Not every API that allows a GET request will have a corresponding POST function to be handled. Performing any other HTTP method would likely return a ‘Method not allowed’ or ‘Not authorized’ returned,” he said.
Salt Security’s Nick Rago echoed that assessment, noting that while it is true that the Wordle app’s gameplay design does not do much to hide or obfuscate answers to present and future word puzzles, there is no indication that the same API endpoint would contain a vulnerability that would allow an attacker to change answers to future puzzles.
Rago tested the method himself and noted that the Wordle endpoint does not execute any HTTP methods other than a GET , and returns any POST, PUT, or DELETE HTTP commands promptly with a 405: Method Not Allowed.
Vulcan Cyber’s Mike Parkin said that while the minor dispute is entertaining, it does highlight the larger trend of improperly-secured, world-facing APIs.
“There are a number of ways to secure the back end and keep attackers from manipulating the API, which reduces the threat from this sort of attack,” he said. “The key is whether the API is, in fact, properly secured, which it should be if the developer was following industry best practices.”