ESPN’s Fantasy Football site is plagued by flaws that make it easy for users to cheat, according to a security researcher.
The vulnerabilities exist in the URL the site uses as a final confirmation that a participant must click on when adding a new player to an existing roster. The flaw was discovered by Billy (BK) Rios, who writes about it in a Sept. 22 entry on his blog, at http://xs-sniper.com.
“Unfortunately for the other players in my league, the fantasy football application does a poor job of authorizing checking,” writes Rios. “These poor checks allow me to manipulate the trans parameter to add an arbitrary player to any team’s roster.”
Rios said the ESPN website vulnerability also made it possible to drop players from teams or alter lineups, but he chose not to. Instead, Rios tested the security slip by playing a prank on his competitors, adding notoriously inconsistent Washington Redskins quarterback Rex Grossman to a rival’s squad.
Rios said he has contacted ESPN’s fantasy football site about the vulnerability.