"API Vulnerabilities in Wordle Exposed Answers, Opened the Door to Potential Hacking"
A security researcher has discovered flaws in the online game Wordle, owned by the New York Times, that leak the answer to the daily word puzzle and expose its Application Programming Interface (API) to potential hackers. David Thompson, a security researcher at Noname Security, discovered the vulnerabilities using Google Chrome's built-in developer tool. Thompson discovered the daily answer with the assistance of a JSON-formatted API. Simply visiting the Wordle website, clicking the "network" tab in Chrome's developer tools, and then selecting the "Fetch/XHR" filter led to the solution. Clicking on JSON API with the current date in the "Requests" cell exposes an API GET request. Then by clicking the "Response" tab, the solution will be clearly displayed. Thompson also discovered a technique to find the solution to the following day's Wordle puzzle by using the command line interface to retrieve the JSON file for a different date. In addition to the solution, the returned information also includes the editor's name. When building and releasing APIs, the ability to acquire the information is a common error. In the instance of Wordle, the vulnerabilities violate the OWASP API Security Top 10 in terms of excessive data disclosure and broken function-level authorization. This article continues to discuss the API vulnerabilities found in Wordle.