Chess.com is one of the largest online Chess platforms. Their Android application, com.chess, ranks in the top 10 for many countries within Northern America and Northern Europe.
App Features
Account
Users of the chess.com can record their username, first name, last name and location on their profile.
Friends
Users can find and invite friends.
Messages
Users can send messages to any other user, friend or not.
Games
The main feature from the user’s perspective is Chess gameplay.
Chat
Users can begin a chat during a game, separate to messages.
Data
Chess.com data can be found at the following file path.
/data/data/com.chessAccount
The user’s email address and password can be found in plaintext within shared_prefs/com.chess.app.login_credentials.xml.
The username can be found in a few files, but most notably shared_prefs/com.chess.app.session_preferences.xml, along with the timestamp of account creation and last login.
Friends
Lots of intersting data can be found with the main database, databases/chess-database (no file extension). The friends list included.
SELECT
friends.id AS "ID",
friends.username AS "Username",
friends.first_name AS "First Name",
friends.last_name AS "Last Name",
datetime(friends.last_login_date, 'unixepoch') AS "Last Login"
FROM
friends
Messages
Messages are also found within the chess-database. The timestamp stored in the created_at column was consistent with the time the message was sent. Un/read status was not recorded.
SELECT
datetime(messages.created_at, 'unixepoch') AS Sent,
messages.conversation_id AS Conversation,
messages.sender_username AS Sender,
messages.content AS Message
FROM
messages
ORDER BY
messages.created_at
Games
The app appears to store a lot of data about games, not just games the user has played, but games the user has viewed too. game_start_time was consistent with the time of the first move, and timestamp was consistent with the time of the last move. The is_opponent_friend column appeared to update – games played before friend connection are shown as with a friend.
SELECT
datetime(daily_games.game_start_time, 'unixepoch') AS "First Move",
datetime(daily_games.timestamp, 'unixepoch') AS "Last Move",
daily_games.game_id AS "Game ID",
daily_games.white_username AS "White",
daily_games.black_username AS "Black",
CASE daily_games.is_opponent_friend
WHEN 1 THEN "Friend"
WHEN 0 THEN "User"
ELSE "ERROR"
END AS "Friend Status",
daily_games.result_message AS "Result"
FROM
daily_games
WHERE
daily_games.white_username = "<< username >>"
OR
daily_games.black_username = "<< username >>"
ORDER BY
daily_games.timestamp
Chat
Users can message during a game. This chat is seperate to the main Messages view, and starts blank each game. These messages do not appear to be stored on the device.
Evaluation
The account information includes username, email address and plaintext password. Friends may also include first names, last names and location if input by the user.
Storing passwords in plaintext is…not great. Their bug bounty initiative did not consider this as ‘within policy’. Their loss is our gain.
There was no coverage of in-game chat, suggesting it is server-side.
As always, this research has been submitted to ALEAPP!
