Connect with us
NSoft

Latest News

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability

Published

on

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerabilityReading Time: 3 minutes

Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.

The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.

Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.

Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.

The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.

Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.

What is SQL Injection?

First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.

Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.

The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.

The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.

 

How we found this vulnerability

Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.

What’s the impact of the vulnerability?

The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:

By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.

The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.

Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.

What to do if you’ve been affected?

If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.

However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.

Disclosure and lack of communication from BigMage Studios

Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.

We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.

Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.

Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.

 

Source


Source: Latest News on European Gaming Media Network
This is a Syndicated News piece. Photo credits or photo sources can be found on the source article: MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability

George Miller (Gyorgy Molnar) started his career in content marketing and has started working as an Editor/Content Manager for our company in 2016. George has acquired many experiences when it comes to interviews and newsworthy content becoming Head of Content in 2017. He is responsible for the news being shared on multiple websites that are part of the European Gaming Media Network.

Latest News

New Zealand Cricket Selects Stats Perform’s Opta as Exclusive Official Data Partner

Published

on

New Zealand Cricket Selects Stats Perform’s Opta as Exclusive Official Data Partner
New Zealand Cricket Selects Stats Perform’s Opta as Exclusive Official Data PartnerReading Time: 2 minutes

 

  • Stats Perform’s Opta analysts to Collect and Distribute Official NZC Data to Betting, Fantasy, Broadcasters, Media and Sponsors
  • World Cup finalists choose world’s largest live cricket scores and statistics provider to power official digital platforms, social media content and professional player analysis tools
  • Innovative agreement also includes expansion in live video streams for betting and news video distribution

New Zealand Cricket (NZC) has renewed its innovative agreement with Stats Perform, the SportsTech leader in data and AI technology, as their Exclusive Official Data Partner for international and domestic competitions.

Under the agreement, Stats Perform’s trusted Opta data analysts will collect, analyse and deliver official ultrafast ball-by-ball event data and insights to the NZC high performance team as well as broadcast, media, fantasy and betting operators, including NZC’s official digital and social media platforms, providing insights and information to deepen the engagement of fans and bettors with NZC’s competitions, teams and players.

Stats Perform will also distribute live match video streams to licensed sportsbook operators through their Watch&Bet live streaming platform from an expanded set of NZC competitions including the T20 Super Smash and the previously un-broadcast Ford Trophy and Plunket Shield.  NZC news video clips will also be distributed to media worldwide through Stats Perform’s sports news content service.

The deal covers all of NZC’s international fixtures across all formats and domestic competitions including the Ford Trophy 1 Day competition, the Plunket Shield 4 day competition and all Super Smash men’s and women’s T20 competitions.

Stats Perform is the largest provider of cricket data in the world and the new NZC renewal represents an important part of the company’s comprehensive official cricket data service.

It is now the exclusive official data partner of the ECB, Cricket Australia, New Zealand Cricket and Cricket South Africa, as well as the ICC, providing world-class data services and analysis to media and the coaching units that include three of the four semi-finalists at the last Cricket World Cup. Stats Perform’s unique commercial model, extensive distribution network and innovative products provides an unrivalled ability for leading cricket boards to elevate the performance of their professional teams whilst also growing fan and sponsor interest in their properties.

“We are thrilled to have renewed our partnership with New Zealand Cricket. We look forward to continuing to provide extensive coverage for all of the premier Cricket New Zealand matches and supporting the production of live streams from previously un-broadcast competitions,” Chief Rights Officer, Alex Rice, said. “Through our new agreement, Stats Perform data and video will be used to maximise significant opportunities for global engagement and improve the way it is experienced and understood by fans. We look forward to providing an expanded premium in-play gaming experience, improved data insights and providing more content for sponsors.”

CNZ will welcome the West Indies to New Zealand when the visitors tour New Zealand on 27th November.

 


Source: Latest News on European Gaming Media Network
This is a Syndicated News piece. Photo credits or photo sources can be found on the source article: New Zealand Cricket Selects Stats Perform’s Opta as Exclusive Official Data Partner

Continue Reading

Latest News

Entropiq Partners with PUMA

Published

on

Entropiq Partners with PUMA
Entropiq Partners with PUMAReading Time: 2 minutes

 

Entropiq, one of the rapidly-growing esports organisations, has entered into a new partnership with global sportswear brand PUMA.

The German company, which specialises in sportswear design and manufacturing, becomes Entropiq’s exclusive merchandising partner. From jerseys to shirts and hats, the apparel will be available for purchase on Queens.cz.

“In the last few months, we were in touch with several global brands, and after considerations and mutual agreement, we decided to sign with PUMA. I am delighted that we will be able to provide our players and fans with merchandising of the highest quality,” Ondřej Drebota, Managing Director of Entropiq, said.

“While the fans’ interest in buying our merchandise has been imminent ever since our organization entered the esports realm, we understood the importance of the decision. It is a privilege to join forces with such a renowned brand, which provides sportswear for the Czech national football team and several first division clubs,” Drebota added.

“PUMA follows the global trend of connection between sports and esports. We believe that, in today’s world, sports and esports are closely linked entities with many common features. I am very pleased that we can start our collaboration with esports organization Entropiq and together become a part of the gaming community on the Czech-Slovak as well as international stage,” Jan Sochor, Area General Manager Eastern Europe, PUMA, said.

“Esports events may take many hours, and it is important to feel comfortable while playing. All of us in the team were thrilled to hear that PUMA would be our new partner and provide our sportswear. The timing of the announcement just ahead of the Czech National Championship makes the partnership even more exciting,” Entropiq’s PUBG player Filip “RedgieBeardo” Tutko revealed.

“I am happy that Entropiq signed with PUMA, the designer of the national football team. It is a great connection, which ticks all the boxes,” Entropiq Ambassador Vladimír Šmicer said.


Source: Latest News on European Gaming Media Network
This is a Syndicated News piece. Photo credits or photo sources can be found on the source article: Entropiq Partners with PUMA

Continue Reading

Latest News

ASCI Publishes Guidelines on Advertising Real Money Games

Published

on

ASCI Publishes Guidelines on Advertising Real Money Games
ASCI Publishes Guidelines on Advertising Real Money GamesReading Time: < 1 minute

 

The Advertising Standards Council of India (ASCI) has published its first set of guidelines on advertising real-money gaming.

ASCI advised its members to exercise caution when promoting real money games, an advertising segment deemed to be high-risk by the watchdog.

ASIC guidelines state that members must ensure that real-money advertisers cannot promote games or services “depicting any person under the age of 18 years” – a requirement enforced across all mediums.

All real money gaming adverts must carry a “Please Play Responsibly” disclaimer, warning consumers of the associated financial risks and potential addictions – with warnings implemented across audio and video platforms.

Also, Indian broadcasters and media owners must ensure that participation in real money games is not depicted as an “income opportunity or employment option.”


Source: Latest News on European Gaming Media Network
This is a Syndicated News piece. Photo credits or photo sources can be found on the source article: ASCI Publishes Guidelines on Advertising Real Money Games

Continue Reading

Trending

We are constantly showing banners about important news regarding events and product launches. Please turn AdBlock off in order to see these areas.