Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Industry News
LiveScore Group Announces Internal Restructuring as Part of Sustainable Growth Strategy
LiveScore Group has announced an internal restructuring process, expected to impact more than 100 existing roles across multiple business locations, including London.
The changes are seen as a difficult yet important step for LiveScore Group, streamlining the business to create improved structures and a pathway to long-term sustainable growth. All impacted employees have been informed and are now subject to a confidential consultation process.
Sam Sadi, CEO of LiveScore Group, said: “On behalf of all Directors of LiveScore Group, and the relevant subsidiary companies, we are saddened by the difficult decision to commence an internal restructure of the business, a process which impacts a significant number of our people.
“Whilst we celebrate our recent period of significant and exciting growth, we must now future-proof the organisation and ensure our internal structures allow us to achieve long-term and sustainable success.
“This is a hard time for all our people, as we say goodbye to colleagues who have played an important role in our journey across recent years.”
The announcement follows on from the recent news that LiveScore Malta Limited (part of LiveScore Group) is to withdraw its LiveScore Bet brand from the Netherlands following recent government tax increases in the market. The announcement includes those impacted by this. There will be no other customer impact in respect of any of the remaining LiveScore, LiveScore Bet or Virgin Bet sites globally.
Industry News
Pronet Gaming Appoints Alex Karaoulis as its New Commercial & Product Strategy Lead
Pronet Gaming, an award-winning platform provider of full turnkey solutions, announced the appointment of Alexandros Karaoulis as its new Commercial & Product Strategy Lead.
With over 14 years of experience in the iGaming industry, Karaoulis brings a wealth of knowledge and expertise that will be instrumental in driving the company’s strategic initiatives forward.
Throughout his iGaming career, Karaoulis has held various senior roles with B2B sportsbook and casino providers, as well as with B2C operators. His extensive background in marketing and sales within the iGaming sector positions him as a true industry expert, ensuring that Pronet Gaming remains at the forefront of innovation in a rapidly evolving market.
“I am thrilled to join Pronet Gaming and excited to fulfill my role in developing and executing sales strategies to drive the company’s revenue growth in key markets,” Karaoulis said.
With a track record in commercial strategies and driving product excellence, Karaoulis’ appointment is invaluable as Pronet Gaming now seeks to expand its footprint to Asia. His vision and deep understanding of the iGaming landscape equip him to navigate the unique challenges and opportunities that the dynamic region presents.
“I want Pronet Gaming to lead the iGaming revolution by providing innovative, culturally tailored solutions that cater to the diverse and rapidly growing demands of the region. Through strategic partnerships, cutting-edge technology, and a deep understanding of local markets, we aim to empower operators to offer world-class gaming experiences that engage players and drive sustainable growth,” he added.
According to Karaoulis, Pronet Gaming is poised to make a splash in Asia by leveraging its advanced technology, flexible platform solutions and deep market expertise while adapting to the unique characteristics of the region.
“The key differentiation point of Pronet Gaming is that we have B2C experience, which greatly aids in understanding the needs of operators and helping them to improve and execute their strategy according to the market. I have worked in B2C roles for more than seven years in my iGaming Career and managed campaigns across various channels, optimised conversion funnels, and learned to use data to improve player acquisition and retention,” said Karaoulis.
Karaoulis acknowledges that the marketing skills he has acquired from B2C experience are valuable in every B2B environment. As he dives into his new role at Pronet Gaming, Karaoulis aims to guide his operator clients on how to better market their own sites, including providing them with advice on effective acquisition strategies, content marketing and campaign structures that appeal to iGaming audiences.
“I also focus heavily on engagement strategies, loyalty programs, bonuses, and personalised offers to keep players active and returning. In my new B2B role, I will advise clients on best practices for player engagement, helping them adopt effective loyalty programs, personalised marketing, and retention tactics that drive player lifetime value to improve the end-player experience for our clients’ sites,” Karaoulis added.
Industry News
Vbet Wins Best Online Casino Operator 2024 at SiGMA Europe 2024
Vbet has been crowned the Best Online Casino Operator 2024 at the highly coveted SiGMA Europe event, cementing its position as a leader in the online gaming industry.
This achievement highlights Vbet’s commitment to providing an exceptional user experience by combining cutting-edge technology with a vast range of options and a secure process. The dedication to creating a responsible, enjoyable environment for players was recognised with this award, making this accolade even more significant. As Vbet continue to expand into new markets, the list of strategic partnerships grows alongside our constant drive to expand its offering. This award serves as a stepping stone on its path to reach more players and set new standards in the industry.
Arman Khachatryan, VBET’s Managing Director, said: “We are incredibly proud to receive the Best Online Casino Operator award at SiGMA Europe 2024. This recognition is a testament to the hard work, passion, and effort of our entire team. Our mission has always been to deliver the highest quality experience in the safest environment possible to our users. This award not only recognizes our dedication to this mission but also motivates us to continue expanding into new markets and territories.”
-
Latest News20 hours ago
Make every pixel personal: Opera GX facelift lets you match your browser to your setup down to the smallest detail
-
Latest News20 hours ago
Casino Management System Market to Reach USD 29.09 Billion by 2032 | Enhanced Security and Operational Efficiency Drive Growth | Research by S&S Insider
-
Balkans6 days ago
EGT Digital’s iGaming platform X-Nave and successful titles to deliver high-quality experience to BetHub’s customers
-
Asia6 days ago
Mascots Xiyangyang and Lerongrong ready for China’s 15th National Games
-
Australia6 days ago
ACMA: Tabcorp Pays $262,000 Penalty for Illegal In-Play Bets
-
Latest News6 days ago
AGREEMENT BETWEEN ZITRO AND GRUPO OSGA TO PROMOTE THE LABOT INTEGRATION OF PEOPLE WITH DISABILITIES
-
Latest News6 days ago
Week 46/2024 slot games releases
-
Latest News21 hours ago
Fast Track Celebrates Third Year as a Great Place to Work Certified™ Tech Company