Input Validation Vulnerability: Blaze.com Mines Exploit
How a dumb input validation error made me winning on Blaze.com way too easy.
Input Validation Vulnerability
How i found a critical vulnerability in the Mines game on Blaze.com.
It all started on December 16th, 2024, around 8:03 PM. I was looking around the site, specifically the Mines game. For those who don't know, Mines is a classic game where you have a grid of squares (0 to 24), and some contain diamonds while others contain bombs. The goal is to click the diamonds and cash out before hitting a bomb.
In this game the grid is indexed from 0 (first block) to 24 (last block).
Discovery
Using Burp Suite to intercept the traffic, i noticed that whenever i clicked, it sent a POST request to:
/api/singleplayer-originals/originals/games/mines/play
Here's what the request looked like:
POST /api/singleplayer-originals/originals/games/mines/play HTTP/2
Host: blaze1.space
Authorization: Bearer xxxxxxxxxx
Content-Type: application/json;charset=UTF-8
{
"bet_slip_id": "1279537798",
"type": "mines-click-tile",
"payload": {
"position": 5
}
}
The interesting part here is the payload object, specifically the position parameter.
I decided to see what would happen if i sent a position that shouldn't exist. i tried sending a very large number and a negative number.
To my surprise, the server counted it as a valid diamond!
Impact
This meant i could "click" on safe spots that didn't even exist on the board, guaranteeing a win every single time.
And yes, the money was real. I was able to withdraw the money using PIX as payment method (which is available on the website).
2024-12-17 x0:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 300.00 complete Payment Approved
2024-12-17 x0:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 210.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 150.00 complete Payment Approved
2024-12-17 x0:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 x0:xxPM xxxxxxxx Pix 100.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 210.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 220.00 complete Payment Approved
2024-12-17 x0:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 300.00 complete Payment Approved
2024-12-17 x0:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 210.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 150.00 complete Payment Approved
2024-12-17 x0:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 x0:xxPM xxxxxxxx Pix 100.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 200.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 210.00 complete Payment Approved
2024-12-17 20:xxPM xxxxxxxx Pix 220.00 complete Payment Approved
"Fix"
The next day, December 17th, 2024, at 9:05 AM, they put up a "Service Maintenance" page.
However, this was just a frontend overlay! It was easily bypassable by simply inspecting the element and deleting the overlay. Once removed, the game (and the exploit) worked just as before. :)
Note: The vulnerability has already been fixed :).