10-year old Girl Scout owns slow game

Many social games have measures to prevent cheating by mucking around with the date settings. But kids are too smart to be stopped that easily. PC Magazine's Sara Yin reports on a brilliant exploit discovered by CyFi, a 10 year-old Girl Scout who presented her findings at Defcon.

She began tinkering with the code after growing impatient with the game's slow place, and discovered that by disconnecting her phone from Wi-Fi and re-setting the clock forward in small increments, she could fast-forward many of the actions in the game, "a new class of vulnerabilities" she dubbed "TimeTraveler."

10-Year-Old Presents App Exploit at DefCon [PC Mag]


  1. I don’t think I’ve ever read something that made me feel like I knew less about it after I got finished.

  2. Hehe that’s great.  What’s almost as good is that her parents must support this – that or she’s completely COMPLETELY gone rogue.

  3. Ah, yes… when I was in school, I ran a BBS with minimal traffic, and was quite addicted to Legend of the Red Dragon, which gave you a set number of moves per day. As sysadmin, I have to admit to advancing the clock months ahead in an evening of fun… and the turning back the clock when I was done so as not to mess with other people. I was a few years past 10, though.

  4. I for one welcome our new 10-year-old Girl Scout beta test/security audit overlords. Anything to keep the flow of Samoas going smoothly.

    1. It should be: “In Russia 21-year-old guy hacks a computer he’s locked up in jail and they throw away the key, in America 10-year-old girl hack computer they give her key to the city! What a country!”

      1. Not quite, as the same Russian would be locked up if he ever set foot on US soil as well…

        It is simply that humanity in general, and USA in particular, seems to give whatever we sort as “kids” a pass on various behaviors that “adults” would be slapped silly over…

  5. It’s awesome that a 10 year old is doing stuff like this, but any game that relies on the client with no server side validation is going to be next to impossible to secure, isn’t it?
    I’m not sure it’s a new class of vulnerabilities – I’m pretty sure i wasn’t the only kid who got around shareware trial restrictions by messing with the computer’s clock…

  6. This works great on Tiny Tower…Although, I am still not sure why I gave that game a week of play….

  7. This made me literally smile. Awesome work, Miss Yin, and keep on hackin’.

    edit: Eh, crap. The girl’s name is CyFi. The PC Mag’s author is Sara Yin. That’s what I get for reading the article too fast.

  8. It’s a kid that set the clock forward on their game – just like kids always have – but both articles I’ve read about it talk about “hacking”, “zero-days” and “a new class of vulnerabilities”.

    Who is it spinning the story this way and why? Are white hats trying to draw kids away from Anonymous by pretending simple game cheats are cooler than real hacking?

  9. I think it’s great that kids learn how to poke things in ways the developer hadn’t anticipated (call it “hacking” if you like, just like we have usability “hacks” and what else not) and are encouraged to extend their natural curiosity into these areas. Really, that’s awesome.

    That being said, I am simply baffled by the hype. This has been done countless times before, often also by kids (Pokemon for example has a few time-restricted things that can be fooled by manually setting the console’s time over and over again), so in my eyes, this is hardly “a new class of vulnerabilities” to be shown off at Defcon. Or even accepting that, I think the blog coverage reporting about this “hack” is overkill. The entire thing reeks of a marketing stunt to counter the current image of “hacking” (Anonymous, Lulzsec, etc.).

    Again, kudos to the kid, and I encourage people to game the games, so to speak, but why the hype?

    1. I’ll be buying my Samoa’s and Thin Mints with cash, only CASH!  Credit cards and all RFID laced devices will be kept in a secure location while this transaction is made, hopefully nowhere near my home.

  10. Many of us used this very common techniqye to game the money system in
    Fable II.  In that game you earned a little money every hour from your
    investments.  If you set your xbox’s clock ahead 20 years you would have
    a windfall of cash the next time your booted up the game.

  11. Not to belittle this young girls efforts/discovery but that is exactly the sort of thing I used to do to get around trial periods for software almost a decade and a half ago. Now I don’t do it that way because I have learned more. Guess what I am saying is basically, good for her, keep learning, keep hacking and stay cool.

Comments are closed.