Hi GeoGuessr team,

I was playing around with the network requests in my browser's dev tools while playing a game, and stumbled across something that seems like it probably shouldn't be there.

When a round is submitted via the /api/v3/games/{token} endpoint, the API response includes the exact latitude and longitude of the round's location in the rounds array. I had a look and realised this means you could just read those coordinates and submit them straight back as your guess - getting 5,000 points every round without actually guessing.

I tested it on my own account and it works across all game modes. It also affects leaderboards and XP since the whole thing can be scripted and runs in seconds. I noticed my score appeared on the NMPZ leaderboard with a 0-second time, which is what made me think I should flag it.

I have tested and it is possible to loop these games and play 100's of 25K games in a matter of seconds. I thought it probably wasn't a good idea to put the script here on a public forum but if you reach out I can break it down.

If it is possible to revert my 0 seconds game from the NMPZ Community World leaderboard so it's fair again that would also be good.

This may well be a known thing already but if not I hope this was valuable.

Thanks,

Thomas