Potential Security Concern in Dave & Buster’s “Find the Flag” Reno Promotion

Recently, I came across a concerning issue related to the ongoing “Find the Flag” event hosted by Dave & Buster’s in Reno.

You can view the promotion here: Find the Flag Reno

While participating in this activity, a fellow user pointed out a significant vulnerability. It appears that the clues for the game are accessible through straightforward browser inspection techniques, thanks to predictable URL patterns based on dates. These files seem to be publicly accessible without any server-side security measures. As a result, an individual with minimal technical skill could:

• Open the browser’s developer tools on the clue webpage,
• Examine the HTML, JavaScript, or image sources,
• Alter the date parameter in the URL (such as changing clue-2025-07-16.jpg to clue-2025-07-17.jpg),
• Access the clues meant for future days ahead of schedule.

This flaw explains how some clues have been discovered incredibly quickly—sometimes within minutes of their official release. In contrast, finding clues through genuine deduction required more effort and strategy.

I’ve already reported this vulnerability directly to Dave & Buster’s Guest Relations team, providing detailed screenshots and technical insights. I am currently choosing to withhold naming individuals or publicly exposing specific details to give the company a chance to address the problem appropriately.

It raises questions about whether this was an oversight or perhaps an intentional simplification that unintentionally compromised the game’s fairness. While I’m not a web developer, I believe transparency and responsible handling of such issues are vital.

If you’re hosting or participating in online events or promotions, ensure that sensitive assets are protected appropriately to maintain fairness and security.