[QuarterReptile]

Lots of righteous upvoting, no comments (that's what I did too, at first.) Has anyone examined it?

It has the ring of so much malware and exploits masquerading as cheats from my childhood of playing crappy games, and there's little information on the page.

Edit: I watched some of the video, and he wants you to add a new certificate authority... no explanation of how the 'cheating' works.

Edit 2: Looks like I jumped to conclusions too hastily about motives. Still, I found no satisfying explanation anywhere.

[vuln]

He doesn't look like your typical malicious actor (where's the hoodie?!) but who knows these days. His LinkedIn is at the bottom of the page.

https://www.linkedin.com/in/brianhamachek

[QuarterReptile]

Thanks, that's probably useful context.

[vuln]

From what I can tell

The binary is running a proxy (fiddler?) on the windows machine. The iPhone is on the same network and accepts the proxy's self signed certificate which allows the iPhone to trust the proxy. You point the iPhone to the proxy. Start Game - End Game - Zero points. When the POST or whatever API call is sent to the server the proxy (fiddler) modifies the request to whatever _points_ you specified. Then you see the updated score on the app.

[munk-a]

I'd strongly discourage anyone from actually installing and using it as it's almost certainly illegal to do so (definitely will violate ToS and probably will be actionably illegal but IANAL). Additionally, it very well could contain malware.

To be honest though, shining a light on this terrible company seems to be the main drive of the website and it's a very deserving cause.

[Graziano_M]

You add the new CA so that you can Man-in-the-middle the traffic between your phone and their servers. That lets the app to view it unencrypted, modify as needed, and then send it off to the real server.

Just removed the CA after.

[brucethemoose2]

Source was posted here:

https://github.com/brianhama/SkillzTruth

[carom]

It feels more like a short seller play.

[vermilingua]

Interestingly, the video was posted (and presumably the site went live) within 30min of the NYSE (where Skillz is listed) closing.

[VectorLock]

Would there have been a better time to post?

[loeg]

Well, you could post it during trading hours, for example.

[viraptor]

Would that actually be better than putting your orders in before the closing and getting out right after opening when the initial reaction will hit all at once? (Vs being delayed / smoothed out over time during the trading hours)

[riceart]

> and he wants you to add a new certificate authority... no explanation of how the 'cheating' works.

I mean it should be pretty obvious why this is being done for this general type of attack - if you have the necessary level of expertise where it is safe to use a tool like this.

[_yrbh]

I’m a busy person. I made this really rushed. I’ve put the source code up on GitHub now though.