Chess.com is one of the largest online Chess platforms. Their Android application,
com.chess, ranks in the top 10 for many countries within Northern America and Northern Europe.
Users of the chess.com can record their username, first name, last name and location on their profile.
Users can find and invite friends.
Users can send messages to any other user, friend or not.
The main feature from the user’s perspective is Chess gameplay.
Users can begin a chat during a game, separate to messages.
Chess.com data can be found at the following file path.
The user’s email address and password can be found in plaintext within
The username can be found in a few files, but most notably
shared_prefs/com.chess.app.session_preferences.xml, along with the timestamp of account creation and last login.
Lots of intersting data can be found with the main database,
databases/chess-database (no file extension). The friends list included.
SELECT friends.id AS "ID", friends.username AS "Username", friends.first_name AS "First Name", friends.last_name AS "Last Name", datetime(friends.last_login_date, 'unixepoch') AS "Last Login" FROM friends
Messages are also found within the
chess-database. The timestamp stored in the
created_at column was consistent with the time the message was sent. Un/read status was not recorded.
SELECT datetime(messages.created_at, 'unixepoch') AS Sent, messages.conversation_id AS Conversation, messages.sender_username AS Sender, messages.content AS Message FROM messages ORDER BY messages.created_at
The app appears to store a lot of data about games, not just games the user has played, but games the user has viewed too.
game_start_time was consistent with the time of the first move, and
timestamp was consistent with the time of the last move. The
is_opponent_friend column appeared to update – games played before friend connection are shown as with a friend.
SELECT datetime(daily_games.game_start_time, 'unixepoch') AS "First Move", datetime(daily_games.timestamp, 'unixepoch') AS "Last Move", daily_games.game_id AS "Game ID", daily_games.white_username AS "White", daily_games.black_username AS "Black", CASE daily_games.is_opponent_friend WHEN 1 THEN "Friend" WHEN 0 THEN "User" ELSE "ERROR" END AS "Friend Status", daily_games.result_message AS "Result" FROM daily_games WHERE daily_games.white_username = "<< username >>" OR daily_games.black_username = "<< username >>" ORDER BY daily_games.timestamp
Users can message during a game. This chat is seperate to the main Messages view, and starts blank each game. These messages do not appear to be stored on the device.
The account information includes username, email address and plaintext password. Friends may also include first names, last names and location if input by the user.
Storing passwords in plaintext is…not great. Their bug bounty initiative did not consider this as ‘within policy’. Their loss is our gain.
There was no coverage of in-game chat, suggesting it is server-side.
As always, this research has been submitted to ALEAPP!