Connect with us
Prague Gaming & TECH Summit 2024

Latest News

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability

Published

on

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerabilityReading Time: 3 minutes

Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.

The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.

Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.

Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.

The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.

Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.

What is SQL Injection?

First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.

Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.

The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.

The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.

 

How we found this vulnerability

Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.

What’s the impact of the vulnerability?

The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:

By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.

The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.

Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.

What to do if you’ve been affected?

If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.

However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.

Disclosure and lack of communication from BigMage Studios

Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.

We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.

Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.

Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.

 

Source


Source: Latest News on European Gaming Media Network
This is a Syndicated News piece. Photo credits or photo sources can be found on the source article: MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability

George Miller (Gyorgy Molnar) started his career in content marketing and has started working as an Editor/Content Manager for our company in 2016. George has acquired many experiences when it comes to interviews and newsworthy content becoming Head of Content in 2017. He is responsible for the news being shared on multiple websites that are part of the European Gaming Media Network.

Latest News

Red Bull Gaming premieres ‘Memories of CS:GO’ documentary highlighting the game’s early years

Published

on

Reading Time: < 1 minute

 

As the CS2 PGL Major in Copenhagen is set to kick off, Red Bull Media House will unveil a captivating feature-length documentary, “Memories of CS:GO – The Early Years,” an ode to one of the most influential games ever made.

This film takes viewers on an immersive journey through the origins and evolution of Counter-Strike: Global Offensive (CS:GO), featuring personal accounts and defining moments from several of the most legendary figures of the game.

The 90-minute documentary, narrated by Counter-Strike commentator Henry “HenryG” Greer, chronicles the remarkable trajectory of CS:GO, from its grassroots beginnings to becoming a global esports phenomenon.

Produced by Red Bull Media House, the film captures the essence of the game through the eyes of its most well known players, including Olof “olofmeister” Kajbjer Gustafsson, Patrik “f0rest” Lindberg, Richard “shox” Papillon, Gabriel “FalleN” Toledo, and Jarosław “pashaBiceps” Jarząbkowski, among others.

The documentary’s release is timed to precede the playoff stage of the PGL Major Copenhagen, scheduled for March 26, 2024. It will premiere on Red Bull Gaming’s YouTube channel at 21:00 CEST, offering viewers worldwide an insider’s perspective on the beloved game.

Event Details:

  • What: Premiere of “Memories of CS:GO – The Early Years”
  • When: March 26th, 2024, at 21:00 CEST
  • Where to watch: Red Bull Gaming’s Youtube Channel
  • The “CS:GO Memories” documentary can be viewed shareit.redbull.com

 

The post Red Bull Gaming premieres ‘Memories of CS:GO’ documentary highlighting the game’s early years appeared first on European Gaming Industry News.

Continue Reading

Latest News

Ten Square Games ready for a new development opportunities in 2024

Published

on

Reading Time: < 1 minute

 

2023 ESPI package

The following documents in pdf format are equivalents of the official Consolidated Financial Statement which were reported in ESPI (download in the zip file above)

2023 Consolidated Financial Statement

2023  Management Board Report on Activities

Independent Auditor’s Report on the Audit of Annual Consolidated Financial Statements

Link to the stream

Link to the chat with individual investors

Presentation

Factsheet

Financial data

Transcription of the conference and Q&A session

For complete press release visit tensquaregames.com

The post Ten Square Games ready for a new development opportunities in 2024 appeared first on European Gaming Industry News.

Continue Reading

Latest News

Alexandra Botez Unveiled As GGPoker’s Newest Brand Ambassador

Published

on

Reading Time: 2 minutes

 

Celebrated chess player and content creator turns her talents to the world’s favorite card game

 GGPoker, the World’s Biggest Poker Room, proudly announces the addition of Alexandra Botez to its prestigious GGTeam. Known globally as a top-tier chess player and revered streaming personality, Botez brings her exceptional strategic insight and charismatic presence to the world of poker.

As a member of GGTeam, Botez will represent GGPoker both on and off the virtual felt, showcasing her talent and passion for the game to audiences worldwide. With her unique blend of analytical prowess, quick thinking, and engaging personality, she is set to make a significant impact in the poker community.

Botez was born in Dallas, TX, and raised in Vancouver, Canada, and her journey to poker parallels her rise in the world of chess. From a young age, she exhibited exceptional talent and dedication, earning the title of Woman FIDE Master and becoming a prominent figure in the chess scene. Her strategic mindset, honed through years of intense competition, seamlessly translates to the poker table, where she employs similar tactics to outmaneuver opponents and secure victories.

Botez streams chess and other content alongside her sister Andrea on their Twitch channel, which boasts over 1.3M followers, and she will now share her ongoing poker experiences with her fans.

“I’m so happy to be on Team GG!” said Alexandra Botez. “They share my vision for growing the game, and I’m excited to embark on this journey together.”

Daniel Negreanu, leader of GGTeam and a fellow Canadian, expressed his excitement about Botez’s addition, stating, “I’m really happy to have Alexandra Botez on the team; she is a top-notch chess content creator who’s documenting her journey into poker, and it’s a lot of fun living vicariously through it! I’m sure her progress will be very relatable to many poker players and lovers of all games. We are thrilled to welcome her to GGPoker and look forward to achieving great success together.”

As Botez makes her debut as a member of GGTeam, fans can expect thrilling gameplay, insightful analysis, and entertaining content across GGPoker’s platforms.

New GGPoker players can claim the poker room’s Welcome Bonus, earn even more rewards with the Honeymoon for Newcomers promotion and automatically join GGPoker’s Fish Buffet loyalty program, with regular cash prizes on offer.

Visit GGPoker on social media for updates and exclusive events featuring Alexandra Botez as she takes the poker world by storm.

Follow Alex on Twitch.

To learn more about the GGTeam, please visit: ggpoker.com

The post Alexandra Botez Unveiled As GGPoker’s Newest Brand Ambassador appeared first on European Gaming Industry News.

Continue Reading

Trending

We are constantly showing banners about important news regarding events and product launches. Please turn AdBlock off in order to see these areas.