Connect with us
SoftSwiss
Playson

Industry News

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability

Published

on

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Reading Time: 3 minutes

Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.

The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.

Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.

Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.

The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.

Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.

What is SQL Injection?

First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.

Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.

The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.

The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.

 

How we found this vulnerability

Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.

What’s the impact of the vulnerability?

The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:

By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.

The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.

Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.

What to do if you’ve been affected?

If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.

However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.

Disclosure and lack of communication from BigMage Studios

Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.

We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.

Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.

Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.

 

Source

Industry News

Slotegrator Partners with HollywoodTV

Published

on

Slotegrator Partners with HollywoodTV
Reading Time: < 1 minute

 

Online casino software aggregator Slotegrator has entered into a partnership with live dealer provider HollywoodTV. As per the deal, HollywoodTV’s catalogue of 23 live and pre-recorded games is now available through Slotegrator.

With modern studios, charismatic dealers and hostesses, and innovative new games, it is no surprise the provider’s games are popular with players around the globe. HollywoodTV holds GLI and MGA certifications.

The studio ensures high-quality satellite streaming with 4k cameras and fibre optics, creating a seamless betting experience for players. In addition to their modern, easy-to-play design, HollywoodTV’s games are designed specifically to be played on mobile. HollywoodTV also offers customisable RTP to remain in compliance across jurisdictions.

Continue Reading

Industry News

888poker Wins EGR Award for Best Poker Marketing Campaign

Published

on

888poker Wins EGR Award for Best Poker Marketing Campaign
Reading Time: < 1 minute

 

888poker has announced that it has secured the Poker Marketing Campaign award for its “Made to Play” campaign at EGR’s Marketing & Innovation Awards.

The “Made to Play” campaign was launched as a multi-market celebration of 888poker’s highly anticipated Poker 8 product. Poker 8 has a state-of-the-art, intuitive user experience with cutting-edge content and capabilities, powered by 888’s proprietary technology.

“This win is a true industry endorsement and testament to the hard work and dedication of the 888poker team. Alongside the launch of our fantastic new Poker 8 product, this campaign has brought a fresh and modern approach to the world of online poker, from the highly entertaining commercial and media activity to the exciting CRM campaign that placed our players in the centre,” Elad Nir, VP Head of 888poker, said.

Continue Reading

Industry News

Casino ADMIRAL Helmond Opens in the Netherlands

Published

on

Casino ADMIRAL Helmond Opens in the Netherlands
Reading Time: < 1 minute

 

The Casino Admiral Helmond has opened its doors near the Dutch city of Eindhoven.

Casino ADMIRAL Helmond is the seventh Casino ADMIRAL venue in the Netherlands since Casino ADMIRAL Hoofddorp premiered in 2015. At full capacity, the casino is able to host guests at 190 player positions, making it the largest casino in the region. Currently though, due to the COVID-19 restrictions and strict safeguarding protocols, capacities are limited to allow for the necessary social distancing.

“The opening of this new Casino ADMIRAL venue in the Netherlands is further evidence that we are committed to a sustainable business strategy, even in economically difficult times. The casino is located in an exceptional building that has been skilfully adapted by our interior design specialists – in combination with our first-class service and premium gaming offer I am convinced that it will soon become another milestone in our Dutch story of success,” Thomas Komnacky, VP of Global Operations at NOVOMATIC, said.

Continue Reading
Advertisement
NSoft
Advertisement
EvoPlay
Advertisement
Kasyno Online na HEX Polska

Subscribe to our News via Email

Enter your email address to subscribe to our news and receive notifications of new posts by email.

Trending

Notice for AdBlock users

We are constantly showing banners about important news regarding events and product launches. Please turn AdBlock off in order to see these areas.