ChessNitro Web

Shows Discord Nitro Code from chess.com username

Tekijä
kpxyy
Päivittäiset asennukset
2
Asennuskerrat
151
Arvostelut
1 0 0
Versio
1.0.1
Luotu
8.9.2024
Päivitetty
13.9.2024
Lisenssi
the-unlicense
Käytössä

ChessNitro

The way ChessNitro works is by getting the User's UUID of the chess.com player.

Chess.com uses version 1 uuids to identify bots, players, and etc.

After getting the User's UUID, Then you'll have to get the promotional code by sending a request to https://www.chess.com/rpc/chesscom.partnership_offer_codes.v1.PartnershipOfferCodesService/RetrieveOfferCode, and the body should have the campaignId (The partnership they're doing, like Discord for example) & userUUID. Furthermore, when sending a request to this with a different UUID that isn't yours, it will still work, but it's not mean't to work whatsoever.

The codes aren't validated as the server doesn't check if they already claimed the code. So you'll have to self-validate the discord nitro promotional codes yourself.

With this vulnerability on chess.com's end, you aren't meant to redeem other chess.com players promotional codes. This can be also replaced besides claiming discord nitro promotionals with their next partnership they can do.

What the chess.com development team can do is require authentication on the endpoint and actually check if it's the User's UUID being used, if not, then it can easily deny access to the endpoint.

This vulnerability was noticed 10 hours after the promotion by Discord X chess.com was started. So far, 2 other people after that point noticed this issue, But other people are using account generators.

This project will be publicly archived when the issue is fixed, resolved, or leaked/used by others.

Note

The author is not responsible for any malicious, harmful or illegal use of this project. This is to show that it's possible to do this vulnerability within chess.com and it needs to be resolved.

How to use

  1. Type the username, or use the get opponent or get profile button.
  2. Press search.
  3. It should return a alert with the nitro code.

Known Issues

Not all Nitro codes will be unclaimed, and it can be claimed by the user already.

You can only get a nitro code every few minutes.

License

This project is licensed under The Unlicense.