Monopoly City Streets Vulnerability
The first thing I noticed with this online game is how easy it is to hack other accounts. Normally when you forget your password it is a matter of answering a secret question and the password is emailed to the email on the account. However since monopoly city streets does not require an email address to sign up, it is just a matter of guessing the answer to your secret question. What makes it even easier is there is only one secret question! What is your pet’s name? With just a few common pet names, it doesn’t take long for one to answer that question and be able to change the person’s password.
Is There An Easier Way to Type In These Names?
Soon after typing these pet names in one by one I thought to myself there has to be an easier way. And yes there is! Firefox has this add on called imacros. This allows you to automate certain things like filling out forms which is exactly what we are doing! The problem was writing the code for imacros took some time as the pet names are case sensitive. Here is the example code of just using 3 pet names:
VERSION BUILD=6240709 RECORDER=FX
TAB T=1
URL GOTO=https://www.monopolycitystreets.com/game.html#en
TAG POS=4 TYPE=INPUT:TEXT FORM=NAME:NoFormName ATTR=* CONTENT=Abby
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:NoFormName ATTR=VALUE:SET<SP>PASSWORD
TAG POS=4 TYPE=INPUT:TEXT FORM=NAME:NoFormName ATTR=* CONTENT=abby
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:NoFormName ATTR=VALUE:SET<SP>PASSWORD
TAG POS=4 TYPE=INPUT:TEXT FORM=NAME:NoFormName ATTR=* CONTENT=Angel
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:NoFormName ATTR=VALUE:SET<SP>PASSWORD
TAG POS=4 TYPE=INPUT:TEXT FORM=NAME:NoFormName ATTR=* CONTENT=angel
After playing that macro you will notice it will enter in two names both uppercase and lowercase and click set password. NOTE: You will have to manually enter in the password you would like to change it to first. Then click Play on the imacros add on.
The only problem here is it takes a long time to build up the code to try many pet names.
Need A List of Common Pet Names?
After searching online for a long list of pet names I began to notice there were many short ones but no long list. So I needed an easy way to combine these lists into one that would not include the duplicates and alphabetically sort them. That’s when I realized the need to write my own program to do this for me.
Program CombinedLists and Other Goodies
The program performs the following:
- Combines 2 lists excluding duplicate names
- Sorts the combined list alphabetically
- Asks a filename to save to
- Saves a .txt file and a .iim file for imacros to use. (Conveniently makes the code for the imacros program all you need to do is copy and paste)
- Tells you how many names you have.
The Program requires the following:
- Each list must be saved as a .txt file with ONE name per line
- When loading both files include : .txt extension
- When saving combined list do not include .txt extension
- Maximum of 10,000 names in 1st list
- Maximum of 1,000 names in 2nd list
- Maximum of 11,000 names in combined list
- Easiest to load lists from the folder the program is ran from.
I wrote the program in c++. I have included the program, a large list of pet names (2303 names), and the code of that list for imacros.
Prevention
The only sure way to prevent your account from being hacked is to make a password for your pet name. Just don’t forget your password!
UPDATE:
Although you can still guess people’s pet names manually, this hack has been prevented with captcha.
Nice work. Remember looking at posts like these and wondering wow how did they ever think of that? 😀
You do realize that you can change the secret question while signing up by clicking into that field and typing something else?
Yes thank you for mentioning that because I didn’t clear that up. Most people don’t realize that and the accounts where the secret question has not changed from the default question (What is your pet’s name?) are the accounts that are more easily hacked. Think about it. If they haven’t changed the question it is more likely they blatantly answered it.
Darn! I should have found this before google add RECAPTCHA in the page. Nice!
I want to quote your post in my blog. It can?
And you et an account on Twitter?
Hi there,
I have already seen it somewhere…
Thanks
Hi there,
This was a good idea!
Thanks
I just wanted to say your website is one of the nicely laid out, most inspirational I’ve come across in quite a while. Thx! 🙂