The world of online chess, which offers big rewards to contest winners, presents a potentially lucrative target for unscrupulous players with hacking skills and some knowledge of cryptanalysis. And it may not be hard to checkmate these insecure sites, according to the findings of security researchers from the University of Colorado at Boulder.

Researchers have found that the Web site of a popular online chess club has security flaws that could allow players to cheat by giving themselves more time on the clock to think about moves. Adding a few seconds might not seem like a lot, but because players have limited time in which to consider their next move (consider, for example, that some games must be completed in under one minute), a few seconds might be enough to win a game, particularly if those seconds allow a player to feed an opponent's move into a powerful chess-playing program.

Cheating the site's timestamp is only one way to exploit weakness at the site, according to the researchers, who point out that the site's encryption mechanism uses no authentication, and that a passive eavesdropper could collect a record of "everything sent between client and server," including credit card information (the site charges a registration fee) and user passwords.

An active adversary could do even more harm, the authors write; he or she could spoof messages from the site administrators or even alter moves.chess_tech1204_0.pdf