As per the Blooket page on my website:

Recently, Ben (the creator/owner/lead developer of Blooket, a very rad man) asked me to take down my cheat suite for Blooket. I fully respect that decision, as I was expecting it sooner or later. It's a bit of a relief, because it's one more thing I don't have to worry about, and I get to work on some other cool projects.

I got a takedown request (it was very polite, don't worry) from Ben, and I've decided to take my Blooket cheat down. I never intended to harm his business, so taking it down is the reasonable thing to do.

The Beginning

The date is April of 2021. The lastest major version of my website is v2, Blooket was much less secure, and I was in a Discord server called Rocks Network, the whole premise being reverse engineering quiz services and writing cheats for them. Joder, the head developer of Kahoot.rocks, discovered Blooket, and found out how insecure it was. I decided to give it a shot and to see if I could develop something of my own, just as a small side-project. At the time, this was the first ever cheat for Blooket. The first few cheats were simple. Game flooding, kicking players, and giving yourself tokens.

Before I explain those, you need to know a bit more about the Blooket service. Blooket is a React app running on Heroku, with the backend being Firebase, serving as a database and handling live games. Live games were handled through Firebase WebSockets, while some of the more nitty-gritty account related things are handled through endpoints. A lot of the calculations and logic for live games are done on the client, allowing for controlled exploitation of those values.

Game flooding required just the join request, you didn't actually have to connect to the Firebase WebSocket for it display a player. Kicking players was also simple, as the requests didn't require you to prove that you were the host. Kicking all of the players was just a matter of getting all of the players, data which one could get from the join request. Tokens were also just a matter of sending a request to Blooket to give you x amount of tokens, something which it would do unless you had hit your limit.

I slowly added more cheats, like an answer explorer for both homework and live games, and a crash. You could fetch the answers from the API from the set ID, which you could get from the join request, and then render the data for the user.

Bookmarklets

A little under a month after starting the Blooket cheat, I decided to write my first bookmarklet for it, a primitive autoanswer. It was quite simple; Upon running, prompted the user for the game pin and a random username, made a request back to my website to fetch the answers, stashed those away locally, and created a button. When the button was pressed, it would check the title of the current question, find the corresponding question data, and click on the correct answer.

A Response

Two months in, and Varedz and I would collaborate on a cheat that would forcefully end any game, just from the pin. It exploited the WebSockets, as you could just send the "stop game" event to a game socket.

It only lasted a few days though. Ben shortly released an update to fix it, I presume through Firebase rules. This marked the first time Ben fixed one of my cheats. Some time after, he would also fix kicking and make joining more annoying.

Multitool

Over a month later, I discovered through one way or another a wonderful browser extension, React Developer Tools. It was like magic. I could edit data, and it would be reflected in the client. Keep in mind I'd never touched React up until December of last year, so while I didn't fully understand everything, it was simple enough to read and write state.

I know this was powerful, but hadn't the faintest of ideas of how I could programmatically exploit this. When I asked my second "mentor," Varedz, about doing just that, he would introduce me to a method of reading and writing to the states and props of React components.

I had my keys to the castle, and the first iteration of the multitool was born. I wrote the first of the more advanced Blooket utilities, granting the user the ability to change values, spawning cheats such as setting gold, crypto, stopping debuffs, and a lot more. It even spurred on an improved version of the auto-answer, as the answers were stored locally, making the process smoother and faster.

Leveling up

Our journey through analyzing my GitHub commits would now jump repositories to a shiny new major release of my website, v3. I would commence a rewrite of my website in December of last year, rehauling the entire thing. Your can read more about it on

. Sans the Blooket cheat. I would continue to add various gamemode-exclusive cheats to it, but nothing really major happened up until the time I restructured it. It was originally just a single JavaScript file that I would obfuscate, but I eventually broke it up into smaller pieces, rewrote it in TypeScript, set up compilation and obfuscation on build time, and called it a day.

For a while, not much interesting stuff happened. I wrote a new flooder that worked with the Google Identity Toolkit thingamajig Ben had added, wrote a bypass for plus-exclusive gamemodes that eventually got patched, and figured out that if you sent empty data to the homework endpoint, it would cause an error when someone tried to load the homework results page due to parsing errors. (...I believe, I never had access to any of the Blooket source code or Firebase instance. I'd love to look through the code though!)

Security Step-up

Around the start of 2022 is when security started to get tighter. In order to prevent people from tampering with network requests, Ben started to encrypt the request data. A key would be stored in the code that changed every time the site was updated to prevent people from adding a fixed key, probably randomized on build time. When the browser made a request, it would generate a random value, encrypt the message with the random value and key, prepend the key to the encoded output, and sent the request to the server. The server would then walk through that same process, but backwards.

# Example encrypted request:
Sghz2PpNmRwbiVkU6DjOAH8THAbIvdKbJmIoDyMJPcM8kP3zI86VzRvN8gi9axm5DZk129oDbewJ18t/JprbNApjl+q7SJ1n1g==


# Decrypted:
{"name":"wovogo7814@song","newName":"awaawa"}

I created an encoder and decoder, and implemented it in some of the utilities in the multitool that made network requests.

Another thing that Ben added was ratelimits, and heavy ones too. I had to remove the bulk box opening feature, as users seemed to hit a ratelimit and subsequently get their account disabled.

A week ago was when Ben really ramped up the effort he and his team of developers (him and Spencer I believe) put into finally fixing the cheating problem that had manifested over the past few months. He overrode the default window.alert, window.prompt, and window.confirm functions so that no text was actually displayed, checked to see if the string passed to them included any one of the following bits of text: 'basil', 'incompatible', 'gold', 'script is outdated', and if it did, a request would be sent to an endpoint that would disable your account.

I got around this by making my own alerts and prompts, because I figured he'd be able to detect IFrames easily enough.

A week later, he changed the url for games from www.blooket.com to dashboard.blooket.com, causing my url checking to state that the site was invalid. That was a simple string change for me, and I was good.

The next day, Ben added yet another check to make prevent the tampering of React values. He would compare two values to see if they matched. If they didn't, kiss your account goodbye. This too I got around, and went ahead and added the fixes to some of the other gamemodes as a precaution.

And the day after that, I was met with a kind message from Ben asking me politely if I was willing to take it down. Of course, I agreed. As I stated before, Ben is a nice guy, and I mean neither him nor Blooket any harm.

Fin

That's a rough summary of everything that's happened over the past few months regarding my end of the whole Blooket spiel. I may have forgotten some things, and possibly got some stuff info wrong. It's been a very unique experience, but I've enjoyed myself with it. Best of luck to Ben, let's hope the backend rewrite he's working on will go well! Oh, and thank you to Joder, Varedz, and Glizzy for their help, I couldn't have done it without them :D

Cheers, Basil