Skip to main content Vunerabilities

I want to start by thanking the folks at CBS Interactive and
CBS Corporation for working so diligently with me on remediating the issues I
discovered, and for responsibly disclosing these issues.

I am unlikely to ever play in the NFL.

I am less likely to ever play in MLB.

So, instead I play fantasy sports, and I play primarily on  It is the site my friends
were using when I joined their leagues, and haven’t seen a need to change.

Last year, I discovered a few unintended features within the CBSSports sites. It started when I realized that I could CSRF the Trade and the Add/Drop functionality.  After a little more digging, I realized I didn’t need to CSRF the trade functionality… Instead I could simply initiate a trade on another teams behalf.  

You would think that knowing this I should have won my
league.  Personally, I blame this epic
fail on Cam Newton’s slow start and Brandon Lloyd’s cement hands. 

Mrs. Newton's favorite player. 
Mrs. Newton’s favorite player. 

The folks at CBS Interactive and CBS Corporation were kind
enough to take a look at the issues I had discovered, remediate these issues, and
keep me involved during the entire process.

Of course, I couldn’t leave well enough alone, so I took another look at the site and realized there were a few other issues that should be looked at.  

I am not sure about your league, but our league utilizes a lot of smack talk. 

Smack Talk (smak tawk): 

The art of telling another person off, belittling them or calling their momma fat, while in the heat of competition.

CBSSports sites have a number of ways to accomplish this, one of which is the Live Scoreboard Chat functionality.  Fortunately (or unfortunately, depending on your point of view), I found a way to submit chat posts on behalf of other teams.  It really made the conversation devolve quickly, as seen below.

Sorry, this is a family friendly blog. 
Sorry, this is a family friendly blog. 

Lastly, I discovered an issue where I could update my “On the Block” section with players I don’t even own.  It is kind of like trying
to sell someone the Brooklyn Bridge, but instead of a bridge it is Mike
Trout.  The deception won’t last long,
but is likely to give the Trout owner a heart attack.

So, feel free to take a look at the disclosures, and if you notice anything else, please let the fine people at CBS know (! Horizontal Access Control Bypass (Trades & Add/Drop) Cross-Site Request Forgery Horizontal Access Control Bypass (Scoreboard Chat) Horizontal Access Control Bypass (Trading Block)