• Stars
    star
    470
  • Rank 93,399 (Top 2 %)
  • Language
    Go
  • License
    BSD 2-Clause "Sim...
  • Created almost 10 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Reverse engineering kahoot.it

Abstract

I have reverse engineered parts of the protocol used by kahoot.it. This repository contains the results of my labor.

Included tools

Currently, I have implemented the following tools:

  • kahoot-flood - using an old school denial of service technique, this program automatically joins a game of kahoot an arbitrary number of times. For instance, you can register the nicknames "alex1", "alex2", ..., "alex100".
  • kahoot-rand - connect to a game an arbitrary number of times (e.g. 100) and answer each question randomly. If you connect with enough names, one of them is bound to win.
  • kahoot-profane - circumvent Kahoot's profanity detector, allowing you to join with any nickname (but with extra length restrictions; it has to be short).
  • kahoot-play - play kahoot regularlyโ€”as if you were using the online client.
  • kahoot-html - I have notified Kahoot and they have fixed this issue. It used to allow you to join a game of kahoot a bunch of times with HTML-rich nicknames. This messes with the lobby of a kahoot game. See the screenshot in the example section.
  • kahoot-crash - trigger an exception on the host's computer. This no longer prevents the game from functioning, so it is a rather pointless "hack"
  • kahoot-xss - since I discovered this security hole, I contacted Kahoot and they fixed it. This used to run arbitrary JavaScript code on the host's computer. This exploited a bug with the pre-game player list, which did not sanitize HTML tags. The exploit itself was rather complicated due to the fact that nicknames are limited to 15 characters.

Dependencies

First, you must have the Go programming language installed on your machine.

Once you have Go installed and a GOPATH configured, you can use the following command to install the dependencies:

go get github.com/gorilla/websocket

Android

Download Termux on Android device and type this command line:

apt update
apt install curl
curl https://raw.githubusercontent.com/unixpickle/kahoot-hack/master/kh-tmux-setup.sh > kh-tmux-setup.sh
chmod +x kh-tmux-setup.sh
./kh-tmux-setup.sh

Usage

Once you have all the needed dependencies, you can run kahoot-flood/main.go program to execute the kahoot-flood tool. You can run the other tools in a similar fashion.

The XSS hack

NOTE: I have contacted Kahoot and they have fixed this bug. It would have posed an actual security threat to teachers using Kahoot.

The XSS hack allows you to run arbitrary JavaScript code on the coordinator's computer. This could be something like alert('hey'), or it could be something much more devious. The command is dead-simple to use as well; you can do something like go run kahoot-xss/main.go game-pin alert\(\). While this seems simple enough, I had to work around some very tough restrictions to get this to work.

The exploit I use only allowed me to execute five-character snippets of JavaScript at a time. Kahoot lets users inject 15 characters of HTML, so we can do something like <script>code. The problem is that the client code dumps some HTML tags after our script, so if we did <script>XXX, it would result in an eval like eval("XXX</span></li>"). To deal with this, the last two characters of our script need to be // to introduce a comment. This leaves us with five characters of JavaScript per nickname.

The obvious approach is to build a script string using string concatenations and then evaluate it. The problem is that eval(e) is 7 characters, and even something like e=eval is 6 characters, one over our limit. In the end, I exploited the fact that Kahoot uses jQuery. Using HTML element construction, I can create a bogus <img> that executes code (e.g. <img src="" onerror="MY_CODE">). Once I get this into a variable Z, I can do $(Z).

I initially tried building strings using a linear approach: a='', b='X', a+=b, etc. In theory, this works, but in practice it took way to long to be useful. Now, I use a highly-parallel logarithmic approach. First, I set 32 variables in parallel. Then I join these variables into 16 new variables in parallel (e.g. a=b+c). I repeat this until all 32 characters are concatenated into one variable. I then repeat the process for the next 32 characters of the string, until I have built the whole thing.

In sum, my program takes your script and puts it in a malicious <img> tag. It then builds a variable on the coordinator's browser with the contents of that tag. Finally, it puts the plan into action by invoking jQuery's conveniently short function name.

Example

kahoot HTML screenshot

License

This is released under the 2-clause BSD license. See LICENSE.

More Repositories

1

gobfuscate

Obfuscate Go binaries and packages
Go
1,323
star
2

JamWiFi

A GUI, easy to use WiFi network jammer for Mac OS X
Objective-C
779
star
3

muniverse

ยตniverse: RL environments for HTML5 games
JavaScript
361
star
4

Giraffe

Encode animated GIF files on the iPhone
Objective-C
261
star
5

weakai

AI algorithms implemented in Go
Go
235
star
6

anyrl-py

A reinforcement learning framework
Python
156
star
7

obs-tower2

My solution to the Unity Obstacle Tower Challenge
Python
136
star
8

model3d

Create & render beautiful 3D models
Go
126
star
9

audioset

Fetch and use Google's AudioSet dataset
Go
123
star
10

sk2torch

Convert scikit-learn models to PyTorch modules
Python
113
star
11

num-analysis

Learning some Numerical Analysis
Go
95
star
12

cbyge

Reverse engineering Cync (formerly "C by GE") WiFi devices
Go
94
star
13

fbmsgr

Reverse engineering Facebook Messenger
Go
89
star
14

ANImageBitmapRep

A set of classes for easily manipulating images with bitmap data or CoreGraphics
Objective-C
85
star
15

car-data

Scraping and predicting car info
Python
82
star
16

vq-vae-2

A PyTorch implementation of the VQ-VAE-2 paper
Python
74
star
17

Benchmarks

Some language performance comparisons.
Rust
66
star
18

SnapchatHax

Hacking away at Snapchat from iOS!
Objective-C
65
star
19

learn-nerf

Learning about Neural Radiance Fields
Python
63
star
20

ImageReflection

A simple addition to UIImage allowing the reflection of images
Objective-C
55
star
21

cve-2018-4407

Crash macOS and iOS devices with one packet
Go
48
star
22

vq-voice-swap

Voice swapping with VQ-VAE and diffusion models
Python
48
star
23

GifPro

My new and improved Gif encoder for Mac
Objective-C
43
star
24

LibOrange

A simple AOL Instant Messenger implementation for Objective-C
Objective-C
42
star
25

vae-textures

Texture mapping with variational auto-encoders
Python
41
star
26

vq-draw

A discrete sequential VAE
Jupyter Notebook
38
star
27

PathIntersection

A class that can be used to find line intersections of CGPaths
Objective-C
36
star
28

learn-quantum

Learning about quantum computing
Go
36
star
29

anynet

Framework for artificial neural networks
Go
35
star
30

MP4Audio

A partially broken Objective-C API for extracting audio from MP4 files and editing metadata.
Objective-C
35
star
31

ANColorPicker

A custom mac-like color well for iPhone
Objective-C
33
star
32

sgdstore

Augmented RNN memory via live SGD
Go
32
star
33

Mac-Utils

A series of small applications to increase the Mac OS X experience
Objective-C
31
star
34

whichlang

Using ML to recognize programming languages
Go
27
star
35

spherenet

Implementing Deep Hyperspherical Learning
Python
27
star
36

cuda

Go bindings for CUDA, done right.
Go
26
star
37

svm-playground

Play around with SVMs in the browser
JavaScript
25
star
38

hopfield

Hopfield networks in TensorFlow
Python
23
star
39

char-rnn

Generate text with recurrent neural nets
Go
22
star
40

ddim

Denoising Diffusion Implicit Models
Jupyter Notebook
22
star
41

demoverse

Record demonstrations for ยตniverse
Go
21
star
42

alux

A lightweight C++ kernel designed to run a JavaScript or Dart VM
C++
21
star
43

rwa

RWA recurrent neural networks
Go
20
star
44

camera-hijack

A chrome extension to mess with the webcam
JavaScript
20
star
45

treeagent

Decision tree ensembles as RL policies
Go
19
star
46

SoundArt

Draw sound waves and hear them, iOS only
Objective-C
19
star
47

learnos

Reminding myself everything I knew about OSDev (and more)
C
19
star
48

ANExpressionParser

Terrible, old, Objective-C expression parser.
Objective-C
19
star
49

ImageTransfer

Bluetooth image transferring app for the iPhone
18
star
50

SocketKit

A C socket wrapper (with SSL) written in Objective-C
17
star
51

ScreenPear

A remote displays application for OS X, still in the works.
Objective-C
16
star
52

heatgrid

Emulate heat conduction in a solid
JavaScript
16
star
53

uno-ai

AI for the game Uno
Python
16
star
54

FreeRez

A GUI Mac OS X application for setting the native resolution on a Retina MBP
Objective-C
15
star
55

voronoi-interp

Create cool animations by gradually adding pixels to an interpolated image.
Go
15
star
56

sentigraph

Graph sentiment throughout a piece of text
Go
15
star
57

bezier-mnist

MNIST, but with Bezier curves instead of pixels
Python
15
star
58

ANDownload

A small download manager with pause&resume support for iphone and mac
Objective-C
15
star
59

anyrl

[Deprecated] APIs for Reinforcement Learning
Go
14
star
60

VideoExporter

A basic Objective-C wrapper for AV Foundation's AVAssetWriter
Objective-C
14
star
61

SpinWheel

A UIView that the user can spin with touch events
Objective-C
14
star
62

godsalg

Trying to find God's algorithm on a Rubik's cube
Go
14
star
63

statushub

A simple log aggregation tool
JavaScript
13
star
64

cnn-toys

Playing around with CNNs
Python
13
star
65

Wolfram-API

An Objective-C implementation of the Wolfram API 2.0
Objective-C
13
star
66

dist-sys

Teaching myself about distributed systems
Go
12
star
67

essentials

Things I wish were Go built-ins
Go
12
star
68

chatbot

Instant messaging with a neural network
Go
12
star
69

neuralspell

Spell and pronounce words with a neural network
Go
12
star
70

polish

Denoising networks for ray traced images
Go
12
star
71

text2emoji

Neural network that produces emojis from text
Python
12
star
72

ffmpego

A Go package for encoding and decoding video and audio files.
Go
12
star
73

torch-bandpass

An implementation of the Prism layer (https://arxiv.org/abs/2011.04823)
Jupyter Notebook
11
star
74

packet-proxy

A proxy for reverse engineering a communication protocol
Go
11
star
75

setres

A CLI for setting the resolution on Mac OS X on the retina MBPs
Objective-C
11
star
76

markovchain

Markov chains for text and anything else
Go
11
star
77

mnistdemo

Test MNIST classifiers from your browser
Go
11
star
78

cubezapp

An amazing cube timer
JavaScript
11
star
79

Expressions

An object-oriented mathematical expression parser for Objective-C
Objective-C
10
star
80

uber-ga

Implementation of Uber's genetic algorithm for RL
Python
10
star
81

learning-tf

Learning TensorFlow
Python
10
star
82

pca-compress

Compressing neural network initializations with PCA
Python
10
star
83

tweetembed

Build word embeddings for Tweets
Go
10
star
84

LassoCapture-old

Extended screenshot options for Mac OS X
Objective-C
10
star
85

SlideToUnlock

A slide-to-unlock interface for iOS
Objective-C
10
star
86

anarch

API for architecture-specific abstractions in OS kernels
C++
10
star
87

tf-env

RL environments written in pure TensorFlow
Python
10
star
88

agg

Command-line tool for numerical aggregates
Go
9
star
89

payrange

Tracking laundry machines
Rust
9
star
90

wav

A WAV encoding/decoding library for Go
Go
9
star
91

voronoi-glass

Create a cool glass-like pattern using Voronoi cells
Go
9
star
92

ANHTML

A lightweight HTML parser for Objective-C (ARC only)
Objective-C
9
star
93

captcha-crack

Cracking a simple captcha system
Python
9
star
94

ErrorScatter

A small prank application for Mac OS X
Objective-C
9
star
95

anyvec

Precision-agnostic vector abstractions
Go
9
star
96

solid-trace

Visualize 3D solids implemented as JavaScript boolean functions
JavaScript
9
star
97

smallpng

Lossy compression for PNG files
Go
9
star
98

speechrecog

Tools for speech recognition
Go
9
star
99

wavenet

A convenient TensorFlow package for the WaveNet architecture
Python
9
star
100

gospeech

An attempt at speech synthesis in Go
Go
9
star