Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Industry News
MiFinity to Showcase Innovative iFrame at SiGMA 2024
MiFinity, a leading global payment services provider, is excited to announce its participation at SiGMA 2024, held in Malta from 12 to 14 November. Visitors can find MiFinity at Stand 2012, where the team will be showcasing its award winning PayAnyBank service, and the latest version of the MiFinity iFrame and demonstrating how it helps iGaming operators acquire and retain players with a seamless, flexible payment experience.
Paul Kavanagh, CEO of MiFinity, commented: “SiGMA is a fantastic opportunity for us to showcase our latest developments and engage directly with the iGaming community. The MiFinity iFrame is a game-changer for operators looking to streamline their payment processes and enhance the player experience. We look forward to demonstrating its capabilities and connecting with both existing and prospective partners.”
MiFinity’s Business Development and Account Management teams will be on-site to discuss the new iFrame features in-depth and highlight how MiFinity can optimise payments for iGaming operators. They will also be showcasing MiFinity’s innovative suite of payment solutions developed specifically for the iGaming sector, including MiFinity PayAnyBank — a powerful tool that enables operators to send payouts directly to players’ bank accounts in multiple countries and currencies, enhancing the user experience with faster, more localised transactions and reduced FX fees.
The MiFinity Affiliates team will also be available to explain the benefits of MiFinity’s affiliate program, which offers some of the highest commissions in the industry and unique promotional opportunities via the MiFinity Bonus website.
Meet the MiFinity team at Stand 2012 at SiGMA 2024 to learn more about the company’s solutions and how they are transforming the iGaming payment landscape. Pre-book a meeting with the MiFinity team or drop by the stand during the event to explore how MiFinity can support your business.
Book a meeting here > outlook.office365.com/book/[email protected]/
Industry News
Dutch Mental Health Care Calls for Total Ban on Online Gambling Advertising
The Dutch mental health service is calling for a total ban on online gambling advertisements in the Netherlands.
Although a ban on untargeted gambling advertisements and a ban on the use of role models has been in effect since 2023, a recent research by KRO-NCRV’s Pointer shows that (illegal) gambling companies and sports tipster platforms are still enticing young people via social media such as TikTok and Snapchat.
By using influencers and terms like “free money”, they try to attract a young audience and thus lower the threshold to start gambling. This concerns both legal online casinos and online casinos that do not have a license in the Netherlands. The Gaming Authority has started an investigation based on Pointer’s findings.
Pointer’s research shows that part of the gambling industry deliberately targets young people who are often susceptible to promises such as “fast money” and the influence of role models. Ruth Peetoom, chair of the Dutch mental health service, compares this approach to that of the tobacco industry, where similar marketing strategies were used to get young people to smoke.
Despite the existing advertising ban, gambling companies continue to explore the boundaries of the law, according to Peetoom. The Dutch mental health and addiction care associations in the Netherlands therefore push for a total ban on online gambling advertising and stricter rules for the duty of care of gambling providers.
With the call for a total ban, the Dutch mental health care sector hopes to prevent further normalisation of gambling behaviour among young people and to protect them from the temptation and consequences of online gambling.
Compliance Updates
UKGC: Market impact data on gambling behaviour – operator data to Oct 2024
The Gambling Commission has published further data on the gambling industry in Great Britain.
This data, sourced from operators, reflects the period between March 2020 and September 2024, inclusive, and covers online and in-person gambling covering Licensed Betting Operators (LBOs) found on Britain’s high streets.
Comparison should not be made with the industry statistics dataset, as this dataset may include free bets and bonuses and does not include data from all operators.
This release compares Quarter 2 (Q2) of financial year 2024 to 2025, with Q2 of 2023 to 2024, looking at how the market has changed in comparative periods over a year.
The latest operator data shows:
- online total Gross Gambling Yield (GGY) in Q2 (July to September) was £1.32 billion, an increase of 11 percent from Q2 the previous year. The overall number of total bets and/or spins increased 12 percent Year-on-Year (YoY), reaching a new peak for the third consecutive quarter of 25.2 billion, whilst the average monthly active accounts2 in the quarter increased 8 percent
- real event betting GGY increased by 6 percent YoY to £453 million. The number of bets decreased 10 percent, while the average monthly active accounts in Q2 increased 9 percent
- slots GGY increased 16 percent to £680 million YoY. The number of spins increased 13 percent to 23.3 billion while the average monthly active accounts in Q2 increased 16 percent to 4.4 million per month. Although this is a new peak for GGY in this dataset for the slots vertical, it should be noted that one operator has re-classified some of its products into the slot vertical this quarter, which has had an impact on the vertical data
- the number of online slots sessions lasting longer than an hour increased by 9 percent YoY to 10 million. The average session length remained at 17 minutes. Approximately 6.1 percent of all sessions lasted more than one hour compared to 6.6 percent in Q2 the previous year. The number of spins per session has fallen from 147 to 142 YOY, whilst the GGY per session has fallen from £4.20 to £4.13 in the equivalent timeframe
- LBO GGY decreased by 1 percent to £533 million in Q2 2024 to 2025, compared to the same quarter last year, while the number of total bets and spins decreased by 0.1 percent to 3.1 billion.
-
Asia6 days ago
NODWIN Gaming partners with Japanese gaming company KONAMI for ‘eFootball Diwali Showdown’
-
Australia6 days ago
Australia’s BetStop Receives International Regulatory Award
-
Latest News6 days ago
BETBY WELCOMES MAGNUS CARLSEN AS GLOBAL BRAND AMBASSADOR
-
Compliance Updates6 days ago
KSA Imposes a Fine of €675,000 on NetX Betting Limited
-
Asia5 days ago
Revenant Esports and Team XSpark Join Forces to Form Revenant XSpark, ScoutOP Revealed as Brand Ambassador
-
Latest News6 days ago
Videoslots Launches DBET in Sweden with International Tipset Pools
-
Central Europe6 days ago
NOVOMATIC builds the Group’s largest photovoltaic system in Lower Austria
-
Gaming6 days ago
The mobile gaming market is growing and attracting new companies. GAMIVO is the latest example