MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability – European Gaming Industry News
Connect with us
SIS

Industry News

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability

George Miller

Published

on

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Reading Time: 3 minutes

Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.

The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.

Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.

Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.

The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.

Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.

What is SQL Injection?

First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.

Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.

The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.

The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.

 

How we found this vulnerability

Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.

What’s the impact of the vulnerability?

The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:

By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.

The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.

Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.

What to do if you’ve been affected?

If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.

However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.

Disclosure and lack of communication from BigMage Studios

Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.

We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.

Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.

Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.

 

Source

Industry News

Stats Perform Partners with Live Graphic Systems

Niji Narayan

Published

on

Stats Perform Partners with Live Graphic Systems
Reading Time: 2 minutes

 

Sports data specialist Stats Perform has entered into a partnership with Live Graphic Systems (LIGR) to deliver rich statistical broadcast graphics for sports leagues and broadcasters looking to streamline production costs while maintaining professional standards and commercial integrations.

The partnership highlights more than three years of cooperative projects between Stats Perform and LIGR, including customers like Gravity Media, Cricket Australia, Football NSW, and Queensland Rugby League. The partnership brings together Stats Perform’s industry-leading event and tracking data and deep storytelling expertise with LIGR’s best-in-breed live sports broadcast graphics platform, including access to LIGR’s out-of-the-box professional graphics templates and their industry-leading sponsorship modules for easy upload, display and reporting of commercial in-game inventory.

“With Stats Perform’s world-class data and advanced storytelling resources, sports broadcasters and leagues will be able to utilise LIGR’s platform to produce large volumes of data-enriched broadcast experiences with world-class graphics in a streamlined, cost-efficient production workflow. This next generation workflow is self-serve, in the cloud, out-of-the-box, and up and running in minutes, even for the most unskilled user. This is extremely exciting for sports leagues and broadcasters who have struggled to produce professional broadcasts with real-time data integrations under limited budgets, away from traditional broadcasting solutions. Now more than ever, cloud-based and automated, data-driven workflows will be a key driver for the sports and broadcast industry to move forward while live sports content is still king,” Luke McCoy, Co-founder and CEO of LIGR, said.

“Sports broadcasts today rely on slick, fast, informative graphics that drive the game’s narrative, while breaking down vast data points and analytics in a visually appealing way that fans can digest. LIGR’s intelligent, out-of-the-box broadcast graphic tools integrate Stats Perform’s advanced event and tracking data to deliver a sleek, easy-to-use tool, that also makes overlaying advertising easy, generating new sponsorship revenue for our customers. We are excited to be working with LIGR to offer new tools to power any broadcast,” Wayne Ford, Senior Vice President of Global Partners and Channels at Stats Perform, said.

Continue Reading

Industry News

Metric Gaming Appoints Will Stephenson as Head of Business Development

Niji Narayan

Published

on

Metric Gaming Appoints Will Stephenson as Head of Business Development
Reading Time: < 1 minute

 

Metric Gaming has appointed Will Stephenson as head of business development.

Stephenson’s hiring, a new position created within the company, highlights Metric’s plan for continued growth in 2021. Stephenson has been in the industry for 15 years. He worked at Metric Gaming previously as head of sports in 2017.

“I am delighted and excited to re-join an ambitious and growing company such as Metric Gaming,” Stephenson said.

“Their modern multi-tenant sportsbook system allows greater customisation and is industry-leading. I look forward to helping the company secure further partnerships this year,” he added.

Continue Reading

Industry News

Association of Gaming Equipment Manufacturers Elects New President and Officers

Niji Narayan

Published

on

Association of Gaming Equipment Manufacturers Elects New President and Officers
Reading Time: < 1 minute

 

The Association of Gaming Equipment Manufacturers (AGEM) has elected new president and officers.

David Lucchese, executive vice president of sales, marketing and digital at Everi, is the new president. Previously an AGEM’s vice president, Lucchese replaces Luke Orchard as president for a two-year term, while Orchard, senior vice president, chief compliance and risk management officer at IGT, moves to a vice president position for a one-year term.

One-year terms were also approved for: vice president Elaine Hodgson (president and CEO, Incredible Technologies), vice president Thomas Jingoli (executive vice president and chief commercial officer, Konami Gaming), vice president Bob Parente (senior vice president and chief revenue officer, gaming, Scientific Games), secretary Eric Fisher (senior vice president and GM, Crane Payment Innovations), treasurer Hector Fernandez (president – Americas, Aristocrat Technologies and) general counsel Daron Dorsey (senior vice president and general counsel – Americas, Ainsworth Game Technology).

Continue Reading
Advertisement
NSoft
Advertisement
EvoPlay Entertainment

Subscribe to our News via Email

Enter your email address to subscribe to our news and receive notifications of new posts by email.

Trending

Notice for AdBlock users

We are constantly showing banners about important news regarding events and product launches. Please turn AdBlock off in order to see these areas.