Wednesday, September 22nd, 2010

Put me in Coach!

*** UPDATE ***
Rex Grossman is out for the season.  ESPN has fixed the issues I discussed below.  However, before you give up on your fantasy football season, apparently there is a stored XSS that I missed.  This guy will have details posted soon –> .  The fun never stops :)
*** UPDATE ***

First, some background.  I love American football.  My team is the Chicago Bears.   I’ve been a Bears fan since the 80’s when Walter Payton, Mike Singletary, and Jim McMahon dominated the field.  The last few years as a Bears fan has been difficult, but I’ve hung in there.  A few years ago the Bears had a quarterback named Rex Grossman.  To put it lightly, he wasn’t the greatest QB a team could have, in fact the Bears have traded him away.  I never really liked him.

Earlier this month, I was invited to play in a fantasy football league.  I’ve never played fantasy football, but I understood the rules and had many friends who played.  My friends (none of which work with computers for a living) needed one more player to round out a league of 10 teams so I decided to give it a shot.  Before the “season” begins, each player selects the football players they think will be the most successful during the season.  As my best player, I selected a running back named Ryan Grant who runs for the Green Bay Packers.  I was shocked to see my star player injured in the first game of the season with a season ending injury.  As I navigated the fantasy football website to find a replacement player, I came across several interesting issues.  There are some issues that allow me to cheat and win (dropping arbitrary players from another teams roster, modifying another teams starting lineup), but I want to win fair and square (I guess that Midshipman honor code has stuck with me)… but as a notorious prankster I figured I could have a little fun with the bugs I discovered.

When a team decides to add a new player to their roster the player navigates through several menus and selection screens.  The final confirmation URL for adding a player to the bench looks something like this:


The leagueId represents the “league” in which our teams are playing.  The trans parameter represents the actual transaction.  Looking at the trans parameter, I’ve broken the various pieces into the following:

2 <– this is the type of transaction to be executed

4480 <– This is the unique player ID for Rex Grossman

-1 <– some sort of increment value/ counter?

1002 <– another value that describes the transaction

3 <– team id for my team

20 <– not sure what this number is

Unfortunately for the other players in my league, the fantasy football application does a poor job of authorization checking.  These poor checks allow me to manipulate the trans parameter to add an arbitrary player to any teams roster.   I decided to add Rex Grossman to one of my rivals bench (not the starting lineup).

Soon after adding Rex to my rival’s bench, I spoofed an email from Rex Grossman with a plea to play.

A few days later, my rival was posting to the entire league that Rex Grossman had magically added himself to his roster and had emailed him to play.  My rival then dropped him from the roster before the next weeks play.

Unfortunately for my rival, Rex is a persistent player.  This week I traded him from waivers for another player on my rivals team.  Trading from waivers/free agency is a bit more complicated and the query string is a bit more complicated, but the overall gist is the same (I also had to fake the waiver transaction ID).


The numbers before the “|” character belong to the player who is to be dropped from the roster (the bench) to waivers while the numbers after the pipe character represent the player to be added to the roster (to the bench, not the starting lineup).  In this example, I’ve dropped T.J. Houshmandzadeh off of my rival’s bench roster and added Rex Grossman back to the bench.

Of course, another spoofed email goes out to explain the situation.

We’ll see what next week brings.  I’ve contacted the fantasy football game provider (probably the largest provider in the US), hopefully they’ll fix it soon…

Posted by xssniper | Filed in Blogroll, Web Application Security

15 Responses to “Put me in Coach!”

  1. September 22nd, 2010 at 5:11 pm

    Jon said:

    You should remove the instructions on how to accomplish this.

  2. September 23rd, 2010 at 6:59 am

    Nopsled said:

    That’s both hilarious and slightly embarrassing as far as security goes. Even though the application wasn’t exactly filled with sensitive information, it’s still disappointing to see flaws like this in modern applications.

  3. September 23rd, 2010 at 11:03 am

    Ryan said:

    I’ve been trying to get this to work but everytime it brings me to a confirmation screen and then if I click confirm to add/drop another teams player it says invalid transaction

  4. September 23rd, 2010 at 12:00 pm

    xssniper said:

    You’re going to have to forge the transaction ID. If you replay the params I provided, you’ll get an error and the transaction ID was for my specific trade.

  5. September 23rd, 2010 at 3:41 pm

    Prefect said:

    Doesn’t seem to work anymore, problem fixed?

  6. September 23rd, 2010 at 4:21 pm

    billy said:

    could u go a lil more in detail on how 2 do this?

  7. September 23rd, 2010 at 6:24 pm

    Joseph said:

    Deadspin taking credit for “discovering” this:

  8. September 23rd, 2010 at 7:07 pm » Blog Archive » ESPN Fantasy Football – What Billy Rios Missed said:

    […] I have ran an ESPN Fantasy Football League every year since the software was available and am a huge fan of the ESPN Fantasy Football experience. However, last year I came across a series of vulnerabilities in the FFB software which basically give an attacker full control of opponent, and other league, teams. Very few people know of the research I was conducting as I was beginning the disclosure process with’s web developers. Today, to my complete surprise, I was made aware of these 2 articles: […]

  9. September 23rd, 2010 at 9:17 pm

    Andrew Brooks said:

    “Wow. I was going through the proper disclosure process on this with ESPN.”

    Yea! Fantasy Football vulnerabilities are serious business!

  10. September 30th, 2010 at 6:01 pm

    Khash_Ha.Ckers said:

    not fully fixed. i’m about to make a trade using an XSS vuln!

  11. September 30th, 2010 at 6:08 pm

    Khash_Ha.Ckers said:

    Run any ESPN transaction via a proxy, such as burp, and you’ll find some interesting stuff. Check out the headers and request parameters.

  12. October 10th, 2010 at 6:14 am

    Your Fantasy Football Player May Not Care About You - said:

    […] next best thing would be to hack the system. That’s what a tech-savvy blogger, Billy Rios, said he did in an ESPN fantasy league. As a notorious prankster I figured I could have a little fun with the bugs I […]

  13. October 11th, 2010 at 5:14 pm

    Fantasy Sports Business » Blog Archive » ESPN Security Issue Provides Fantasy Lesson said:

    […] with a “notorious prankster” who hacked into ESPN’s fantasy system to “have a little fun with the bugs I discovered.” Fortunately for all involved, the fantasy hackster had no interest was playing in a league […]

  14. December 19th, 2010 at 12:04 pm

    A Scheuer said:

    Rex Grossman is starting this week for the Redskins! I hope your friend starts him… lol

  15. August 25th, 2014 at 7:31 pm

    Not In This League | Wisconsin Lovers said:

    […] decent QBs are taken, and I don’t want to give anything up in a trade for them. But thanks to the flaw in ESPN’s system, I can force another team to drop their player, and pick him up […]

Please leave a Comment