Potential Security Concern in Dave & Buster’s “Find the Flag” Promotion in Reno

Recently, I came across a noteworthy issue involving the current “Find the Flag” promotion hosted by Dave & Buster’s in Reno.

You can view the promotion details here: https://www.daveandbusters.com/us/en/find-the-flag/reno/?location=Reno+US+%2C+89502

During my participation, I learned from another user that it might be possible to access upcoming clues earlier than intended by utilizing browser developer tools. The clues are embedded within URLs that follow a predictable date pattern, and the files for these clues are openly hosted without any server-side restrictions. Essentially, with basic technical knowledge, someone could:

• Open the browser’s developer console on the webpage displaying the clues,
• Inspect the network requests or source code involved,
• Alter the date component in the URL to reveal future clues (for example, changing clue-2025-07-16.jpg to clue-2025-07-17.jpg),
• Instantly access the next day’s hint ahead of schedule.

This vulnerability explains how some flags were discovered within minutes of their official release—far too quickly for it to be coincidence. Conversely, I found one of the flags through earnest effort and deduction, demonstrating that genuine participation requires effort.

I’ve already reported this potential security oversight to Dave & Buster’s Guest Relations team, including screenshots and technical details. Out of respect and fairness, I’ve chosen not to publicly identify those involved or pinpoint individuals, instead hoping the company will address the issue promptly.

It raises questions about whether this was an oversight or a deliberate shortcut taken by certain players. Should you find yourself participating in similar promotions, remember to approach responsibly.

Please note, I don’t have a background in web development and simply wanted to share this discovery. Thank you for reading.