Fun with ciphers in copycat Wordles

Written by:
Micah Silverman
Micah Silverman
wordpress-sync/learn-threat-intelligence-hero

February 2, 2022

0 mins read

Here at Snyk, we spend a lot of time researching vulnerabilities. We do that because there are a lot of other folks out there researching new ways to break into apps and systems. We’re often putting on our “grey hats” to think like a malicious hacker. I regularly view-source, look at network traffic and eyeball query strings. One such delicious little query string caught my attention this week on one of the many copycat Wordle sites.

Right up front, I want to note that there are SPOILERS AHEAD. While I don’t name the specific website, it won’t be hard to figure it out, and what I write below would allow you to guess any custom word in one try. You’ve been warned!

Who among us doesn’t love Wordle? No one, that’s who! It’s gotten to the point that the NY Times announced they are purchasing the original Wordle from its author. There have been a bunch of copy-cats, both in app and web-app form. And, some of these have been up to no good! For the record, here is the official original Wordle.

Amongst the copy-cats is a good one that allows you to pick a custom word from an available dictionary and send a link to your friends to try to guess the word in Wordle style.

A friend sent me one and I noticed that the url included a query string parameter called: code=. What followed looked like gibberish. But my #chaoticneutral spidey-sense went a-tingling. The string of gibberish was exactly 6 letters long and the word was 6 letters long. Coincidence? I think not! My second thought was that maybe this was ciphertext and I could reverse it to guess the word in one try.

When I see something like this, I always try to start with the low hanging fruit: Atbash cipher (Yes, all the links are to the Gravity Falls wiki as every episode ends with a cipher).

Atbash ciphers

Imagine that the url contains the query string: code=ociwti. Maybe the i represents the same letter shifted around? After playing around for a few minutes, there were just too many possibilities for a simple substitution. So, my next thought was to try to solve it legitimately, and then work my way backwards. It took 5 out of 6 tries, but I got to the word: sortie. This helped me immediately because I could tell now that it was not a simple substitution. If it were, the third (r) and last (e) letters would have been the same.

Caesar ciphers

My next thought was that maybe it was a Caesar cipher (still Gravity Falls). This cipher puts the plaintext letter ahead or behind some number of letters from the ciphertext. If you go past Z or before A, you just wrap around. The only problem is that it’s still consistent and the third and last letters of the plaintext would be the same. But, I liked the idea of moving around the alphabet.

What if you simply had to count a different number of letters ahead for each position of the ciphertext to get to the plaintext? This would then reveal a key which might be used to solve for any ciphertext. Since I had both the ciphertext and the plaintext, could I extract the key? Let’s see.

If I move forward at each position, caesar cipher-style, this would reveal a number of letters to get from the ciphertext letter to the plaintext letter (accounting for wrapping). Here’s what I came up with:

O

C

I

W

T

I

S

O

R

T

I

E

4

12

9

23

15

22

Cipher solved, scroll with circumspection...

With that key, all that was left was to try another custom Wordle. I created one of my own, which yielded: code=ywgkpv. Before you scroll down, see if you can solve it yourself!

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Keep scrolling...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Let’s look at the big board:

Y

W

G

K

P

V

4

12

9

23

15

22

C

I

P

H

E

R

So, I was able to confirm that the key: 4-12-9-23-15-22, worked with any custom Wordle. Neat!

If you know the site that I am speaking about in this post, please keep it to yourself. Why spoil the fun for folks that didn't choose to click on this blog!

Hopefully you’ve enjoyed this little detour into the red-yarn-around-push-pins that is my brain. I can’t help but wonder what’s going on when I see query strings in URLs. But, I always stick to the #chaoticneutral credo: a light trolling to get a good laugh is fun, but do no (real) evil.

And if you're into fun puzzles like this, join us on Feb. 9 at 11 a.m. EST for a live hacking session: Stranger Danger: Your JavaScript Attack Surface Just Got Bigger led by the one and only Liran Tal! Can’t make this one? Good news: we’re doing them every month. Use this Zoom link to register.

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo