Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
11 experienced people managers from the SKS365 group’s 4 locations gathered last week in Belgrade for the new GROW People Management Program. From 15 th to 19 th of April, through trainings, discussions, and social connections, people had the opportunity to further grow individually and as a team, while enjoying Belgrade’s city center and rivers.
Created in 2023 with the purpose of building foundation people management skills across the organization, GROW initiative evolved this year by including a new, advanced program for experienced people managers to further consolidate their skills and prepare for future opportunities.
Building and fostering connections, sharing experiences, and enjoying team building experiences – all these activities have been part of the GROWpmp agenda for the 11 people managers coming from Commercial, Product and Development, Finance, and Sportsbook departments of the group’s 4 locations – Malta, Italy, Austria, Serbia.
GROWpmp included a variety of topics that people managers in SKS365 recognized as the key areas for management development. Topics such as influence through communication, team effectiveness, DEI, through to presentation skills and business topics like understanding finance and management reporting, were delivered with the support of external professionals and internal experts, while designed and organized by the SKS365 People & Culture team.
Kindred Group plc’s (Kindred) share of revenue from high-risk players showed a slight increase to 3.2% (Q4 2023 3.1%) in the first quarter of 2024. Compared to the first quarter of 2023, the high-risk revenue share decreased marginally. The percentage of detected customers who exhibited improved behaviour after interventions came in at 87.1% (compared to 87.4% in Q4 2023 and 83.0% in Q1 2023). This sustained trajectory in the improvement effect after interventions, observed over an extended period, serves as a testament to the strong dedication and collective efforts throughout the company. It reflects Kindred’s ongoing commitment to fostering positive change within the industry.
“We continue to see our share of revenue from high-risk players fluctuate quarter to quarter, and we are working closely with all teams across the company to support customers towards a more sustainable gambling experience. However, it is encouraging to see that our Journey towards Zero data has steadily decreased since 2020. A similar trend can be seen across the healthier gambling behaviour effect after interventions. This tells us two things: our work is paying off, but we need to continue to push ourselves to propel a sustainable progression,” Alexander Westrell, Director of Communications at Kindred Group, said.
“It was very encouraging to witness the open and transparent discussions at the Sustainable Gambling Conference in London on 20 March, where those with lived experience shared their important stories. Also, it is evident that technology is moving forward, and will provide greater opportunities to detect and intervene in the future. We hope to see more regulators engage with the industry and with experts to secure a more sustainable industry for everyone,” Alexander Westrell added.
PENN Entertainment announced that Aaron LaBerge has been named Chief Technology Officer (CTO) effective July 1, 2024, subject to customary regulatory approvals. Mr. LaBerge will report directly to PENN CEO & President Jay Snowden.
In his new role, Mr. LaBerge will be responsible for driving the technology strategy and execution for PENN, while leading the multinational team of technologists and serving as the key business leader for the company’s Interactive division.
Mr. LaBerge spent more than 20 years at The Walt Disney Company, in two stints separated by five and a half years as a technology entrepreneur. He was most recently President & Chief Technology Officer for Disney Entertainment and ESPN where he was responsible for driving all technology and product development in support of The Walt Disney Company’s two media divisions. In that role, he helped set the vision and strategic leadership for how Disney uses technology to enable storytelling and innovation, drive its business, and create unparalleled consumer experiences with entertainment and sports content.
“We are thrilled to have someone of Aaron’s caliber join our PENN executive team. Having overseen a global organization of thousands of engineers, product developers, designers, technologists, and data scientists that created some of the largest scale and most successful media properties in the world, there is no better candidate to lead our Technology and Interactive division into its future. I know Aaron is looking forward to working with Todd George, our head of operations, and our entire Executive Team to continue growing our position as a leader in online gaming, sports betting, and digital sports media,” Mr. Snowden said.
“I’m excited to join another talented team at PENN Interactive and lead our technology strategy. PENN Entertainment is at the forefront of the fast-changing gaming and sports media industry. I plan to use my experience from Disney and ESPN to help make ESPN BET an essential piece of the sports fan experience. Together, we’ll push the limits and redefine how fans interact with sports and gaming,” Mr. LaBerge said.
Prior to his most recent role at the Walt Disney Company, Mr. LaBerge was Executive Vice President and Chief Technology Officer at ESPN from 2015 to 2018. At ESPN he played an instrumental role in the growth of ESPN’s consumer-facing digital media products and services – leading many of ESPN’s most ambitious and challenging projects and helping establish ESPN’s position as the leader in digital sports and innovative sports technology development. He was a key architect in the design, development, and engineering of ESPN’s state-of-the-art facilities in Bristol, CT; Los Angeles, CA; Charlotte, NC; and Austin, TX, as well as data centers and infrastructure that connect those facilities around the world, as well as the technology design and development to support the launch of the multi-platform SEC Network.
Between 2007 and 2012, LaBerge was co-founder and CEO of Fanzter, Inc. – a venture-funded consumer software and digital product development company. At Fanzter, he directed all day-to-day operations and led the development and launch of a variety of consumer-focused internet and mobile products, ground-breaking social and commerce technologies and more.
Expanse Studios Launches in Bulgaria with Inbet
Week 17/2024 slot games releases
CasinoBeats Summit 2024: Providing the Tools to Balance Innovation and Regulation in the Digital Age
Aristocrat Leisure Completes Acquisition of Neo Group Ltd. (f/k/a NeoGames) for $29.50 per Share
Wazdan pounces for bigger wins in new sequel Mighty Wild™: Panther Grand Gold Edition
PRAGMATIC PLAY DELIVERS BRAND NEW DEDICATED LIVE STUDIO FOR BETSSON
Evoplay bolsters presence in Lithuania with Betsafe deal
EL Executive Committee Names Mr Ionut-Valeriu Andrei as New Member
SOFTSWISS Obtains Firstly Issued B2B Tobique Gaming Licence
VGCCC Fines Bookmaker MintBet $100,000 for Repeat Breaches of its Responsible Gambling Code of Conduct
BetGames Classic roulette launch w/ Andreas Koeberl, CEO
BGaming agrees LatAm content deal with Salsa Technology
Slotsjudge Awarded Best Affiliate in CEE at Prague Gaming & Tech Summit 2024
Gaming Americas Weekly Roundup – March 25-31
Gaming Corps makes key European addition with Fortuna Entertainment Group partnership
PRAGMATIC PLAY SLOTS LIVE WITH HOMMERSON CASINO IN THE NETHERLANDS
-
eSports7 days agoEverything you need to know ahead of ESL Pro League Season 19
-
Latest News7 days ago
New Market Alert! Hacksaw Gaming Touch Down in Portugal with Solverde.pt
-
Latest News7 days ago
What Types of Resources Help You Find New Online Casinos?
-
Latest News4 days ago
THE UNIT APPOINTS ADAM NOBLE AS CHIEF COMMERCIAL OFFICER
-
Gaming4 days ago
The German Games Industry Association congratulates all winners of the German Computer Game Awards 2024
-
Baltics4 days ago
MARE BALTICUM Gaming & TECH Summit Announces Final Agenda for 2024 Event
-
Latest News4 days ago
INSPIRED LAUNCHES VIRTUAL SPORTS WITH COMEON GROUP
-
Africa4 days ago
NE Group powers 888bets launch in Angola
