Challenge Link Security

At the moment, Geoguessr challenge links look like this:
https://geoguessr.com/challenge/ltJy3huDl68gHwrd

After you have completed a challenge, this redirects to a webpage which has the challenge results, which has a URL like this:
https://geoguessr.com/results/ltJy3huDl68gHwrd

It's very straightforward to figure out what the results URL will be for a given challenge URL (just replace "challenge" with "results"). If you replace one with the other in your browser, you will see the results page including the answers for each location. You can then go back to the original challenge link knowing the answers and get a high score.

Would it be possible to close this vulnerability? A few solutions spring to mind (ordered from best to worst, I think):
- If you haven't completed a challenge, going to the results URL redirects you back to the challenge.
- Results links use a different random string so you can't easily figure out what they are
- Once you've visited the results page, you can no longer go back and complete the challenge (you just get redirected to the results page)

Cheers,
BoredTrevor
BoredTrevor Report inappropriate content

Comments

  • Hi BoredTrevor,

    Sorry for the late reply.. That's sounds like a good idea, I probably prefer the first option. Have to run it by the team so we don't mess up for someone that's using the feature for some reason.

    thanks!

    best,
    Mikael

Add your comment or create a new post

Your name and post can be seen by everyone.Your e-mail will never be shown publicly.