Hacking clock at Chess.com

The site has a Bug Bounty program: https://www.chess.com/news/view/chess-com-bug-bounty-policy

If anyone has proof any such thing actually works, I would recommend they report it. The site knows how the code works and how they handle lag and why clocks can change. I'm not going to claim that there are no bugs and that it's impossible to cause an issue, just that the most likely reason is exactly was has been described by the site.

In addition, client side attempts to hack, such as with the interface, are more likely going to cause connection or clock issues (as in losing time) on the hacker side, not the opponent side.

oH i Am So sAd sOmeOne HaCKeD iN sO thEy cOuLd maKe mE foRfEit insTeAd oF stEalIng miLliOns Of DoLLaRs!

It's not hacking. That is rather silly though a keystroke generator may be used.

Just where do you get the idea that a "client hack" will be more likely to cause clock issues on the "hacker" side? That's not how it OFTEN works when people figure out exploits in other games. And that's a big thing here. OTHER GAMES. So this discussion isn't in a vacuum. There is a rich history and present involving interface exploits. And of course, they tend to ruin things for the opponent of the exploiter of course. Like duh.

So if we were born yesterday and had no experience with internet gaming then one may say that the official line is most reasonable. But with experience, well things are often poor when there is not a rigorous bug reporting and correcting mechanism visible in a game. Where is that in this case? And seeing a clock issue causing game deciding "glitches?" Well that's a given exploit in the experienced gaming world because 99.99999% of the time that's what a mysterious glitch involving timing and causing a reversal of fortunes actually is.

So either way it is a problem with the coding. So connect a phone to the network and when this glitching happens, see if the phone can access a fresh website. If so, it's not your connection.

An interesting factor is whether people are seeing this when using the app, or just when logged on through a browser. (An actual bug correcting process would have already publicly discovered this.)

I admit, this could be a simple matter of the server handling traffic very poorly though the reports make that unlikely. But blaming it on the client connection is kind of ridiculous as people are insisting it isn't that. Particularly when people veer into the ridiculous notion that someone has to change the coding of a server to affect a game.

Again, exploits are COMMON with onlline gaming. They just don't stay around long because games where the developers are taking things seriously have a visible and healthy process of addressing those exploits.

I was victim to it a few times and eventually went to watch one of these " Benefactors of the lag" Amazingly enough his next three Opponents had the same poor connection and lag that I did.🤷🏿‍♂️

Happens. All good. We learn to live with it, take our chess.com rating with a grain of salt and enjoy the app when it functions correctly. .. or at least I have. I only come back here cause of the notifications. Stopped actually caring about the topic the moment I realized there was no one looking to address it.

The client doesn't have any control over the official server clock.

When the move is sent to the server, the times are sent but the server itself does all the calculations based on when it initially sent the previous move, when the new move is received, and determines how much lag there was and how much lag, if any, it allows and compensates for. That calculation is made and the server sends the move on to the opponent and sends the updated clock times.

Do anything you want client side, the client can't impact that calculation. The client could introduce additional lag on their end, which will only hurt the sending client's clock, not the opponent's. The lag compensation won't count against the clocks, and that's why there can be time added in non-increment games.

The live server process is the traffic cop and official time keeper and handles it all. In order to impact the opponent's clock, it would require being able to modify the actual time calculation, along with the sending of updated clock times, and the server is tracking the time independent of the clients.

Again, I won't claim it's impossible, just very unlikely based on how it's implemented.

Doubtful.
.
Mods and streamers have been given access to change the clock mid-game, so that means the capability exists and a malformed request could be targeting that capability. Or simply something like spamming, or a disconnect reconnect cycle is being exploited. I helped with a security bug for chess.com a long time ago, and got all kinds of “That’s not possible” until I gave them a POC. API’s, even unknown API’s, have a high likelihood of being excellent vectors.
.
But even if it is due to ping rate compensation, ask yourself why are they compensating instead of limiting based on uniqueId requests as this is supposed to be real-time gaming (despite the fact you can’t directly use UDP in the browser)? Why are auto disconnects even a thing, as they detract from the user experience?
.
If you limit the amount of requests to 10/1000ms, if load will allow it(otherwise go smaller), you instantly level the playing field for users with ~100ms ping rate playing against players with ~20 ms ping rate. >>1 and you instantly reduce to 5 requests per 1000ms and level the playing field for 200+ ping rates.
.
I won’t pretend to know your internal workings, or give you a lecture on packet/server design but the secure mvc multiplayer paradigm isn’t new, it has been studied pretty well. If you are properly authenticating and rate limiting control updates from the client to the server, than this really shouldn’t be happening. It doesn’t happen on other platforms I’ve tried.
.
No hate though, just frustration. The guys at chess.com can code, but sometimes they screw up. You guys have a history/reputation for letting tons of cheaters slide lately, but It’s time to fix this issue, because chess.com has been unplayable for a while now, at least with regard to bullet and blitz games. The fault is clearly not always just connectivity on the client’s side, especially when there are this many complaints; for many cases it’s clearly on chess.com ‘s end.
.
Chess.com can blame the server load, and tons of new subscribers/ players, but that’s what good code, threaded nodes and load balancers are for.

.
No matter what it’s chess.com’s fault and users are finding it unfair, as their ratings, that they used to take a modicum of pride in, are now more meaningless than ever.

The clock being slow is obviously a lag issue, if I hacked you you will now have no money and no chess.com rating. I will not hack people for making their time run out...

I agree lol

Moderators don't have that access. Some staff do. I think some streamers have the ability to start with time odds, via command, but not all do, but I don't believe they have the ability to change clocks on the fly.

However, even if someone knew how to trigger the options, it is locked by role. An account without sufficient rights can't run the commands. So, not only would it require someone knowing the commands needed, they would also need to escalate their permissions to bypass the server authorization for those commands. While not impossible, it's not very likely and probably is not happening at all and certainly not at a level, even if happening, that covers reported instances of "clock hacking".

Instead, it's the simpler explanation that the site has given. The server handles clocks and updates clients after each move. Those changes are happening at every move and with very high lag or clients with connection issues, those clock changes are more noticeable.

🤣🤣🤣 Marty Stays the course.

Lol. The master hacker from Mars could come to Earth post a video of him hacking The clocks at chess.com and Brother Marty would stay the course. His response will be like "While, it's not impossible that this master "hacker" is actually from Mars. And the video is legit and not photoshop. It's extremely improbable. Furthermore it's Extremely unlikely that such a master hacker would waste his Energy and demean his talent coming to earth to hack chess.com's clocks. Instead, it's the simpler explanation that the site has given. The server handles clocks and updates clients after each move. Those changes are happening at every move and with very high lag or clients with connection issues, those clock changes are more noticeable.🤣🤣🤣🤣🤣🤣

If an exploit exists, is demonstrated, and can be reproduced, that is one thing.

Speculation that it's happening now, because other code on other software (that is achitecturally different) has had that problem before, is an entirely different thing.

Going to "it's a hack", when a simpler explanation exists and is exactly how the system is coded to react to lag, is a whole other level

Hey, I suspect my opponent was cheating in my daily match. I had 24 hours of time left to do my move however black somehow won on time

Open a ticket with support and maybe they can see if something happened.

https://support.chess.com/article/346-contact-us

The hilarious thing is that other games show exploits and people involved in those games deign to actually recognize them. But here they just creep back to Angelina Jolie and "hacking" the secret orbiting base nonsense.

The whole "server clock is independent of client actions" is of course complete rubbish. It isn't that way in any online game. It isn't that way here. Basically it is an assumption of infallible programming. And a refusal to accept reality.

The bug reporting is ridiculous. At this time, this bug if reported would be out of scope of the current bug reporting process. People pointing out that bug process obviously didn't even take the time to read it. Same level of perception displayed in their infallible "server clock" nonsense and the rest really.

It's not hard to detect DGAF. It's just that having so much effort made cheap is disconcerting to experience.

The clients absolutely do not do anything with clocks other than display and update them. Only the server code handles the clocks. You don't have to believe what the site posts about it, but that doesn't make it incorrect.

They do lose time. If they used premoves, it will take at least 0.1 seconds per move.

If you look at the games in the archive on the website, you'll see what the official clock times were, after any lag compensation, and that each move took some clock time