Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Powered by WPeMatico
Blacklyte has announced the Blacklyte AI Teammate, an AI-powered desktop gaming companion the company says is designed to react to gameplay and provide coaching-style assistance. Blacklyte said the product will be shown in base colors at LVL UP EXPO.
According to the company, the AI Teammate can guide players through levels, provide feedback on playstyle, and suggest alternative moves based on analysis of in-game decisions and potential outcomes. Blacklyte positions the device as a desk-based companion that integrates with its broader lineup of desks, chairs, and accessories.
“We at Blacklyte are excited to bring the Blacklyte AI Teammate to life. By creating this new desktop teammate, we are giving people a new way to connect with games. The Blacklyte AI Teammates are not just another robot; they are true partners who understand gamers, games, and how to get the win.” said Alex Liu, Blacklyte Founder and CEO. “Beyond gaming, the Blacklyte AI Teammate is a true partner who supports, adapts, and upgrades their new owner’s life. They are always there when needed, on the desk, in a game, and beyond.”
On hardware, Blacklyte said the device has a silicone body with a steel core for poseability and an LED face screen intended to display emotions and responses. The company said it connects to PCs through the Blacklyte app available on the Apple and Play Store, with the app supporting controls and firmware updates. Blacklyte also said additional colors and collaborations are planned in the future.
The post Blacklyte unveils AI-powered desktop gaming “Teammate” companion appeared first on Eastern European Gaming | Global iGaming & Tech Intelligence Hub.
Quick Custom Intelligence (QCI) a leading provider of casino operational intelligence software, announced the launch of QCI Metrics, a new anonymized data-sharing program that enables gaming and hospitality operators to benchmark performance using yesterday’s operating data—providing timely, actionable insights without exposing customer, financial, or personally identifiable information. This innovative solution extends beyond gaming machine ranking into host performance standardization.
Available through the Chatalytics.com portal and integrated into the QCI Platform, QCI Metrics transforms operational data—including game performance and host effectiveness—into standardized performance indexes.
While traditional benchmarking solutions rely on limited datasets or delayed reporting cycles, QCI Metrics delivers insights based on yesterday’s data—giving operators a timely, continuously updated view of how they are performing against peers across both gaming and player development.
All data shared in QCI Metrics is:
• Aggregated and normalized
• De-identified
• Abstracted at the property level using internal IDs
No transaction-level, player-level, or campaign-level data is ever shared.
“QCI Metrics gives operators the ability to see how they stack up against peers across player development and gaming in near-time, without compromising privacy. It’s a practical, secure way to unlock industry-wide insights,” said Andrew Cardno, Co-Founder and CTO of QCI.
QCI Metrics is designed to help operators quickly identify performance gaps, respond faster to trends, and adopt proven strategies in a highly competitive environment.
The post Quick Custom Intelligence Launches QCI Metrics appeared first on Americas iGaming & Sports Betting News.
Industry News
RAW iGaming unveils RAW Riches: A site-wide progressive jackpot overlay built for scale
RAW iGaming announces today the launch of RAW Riches, a site-wide progressive jackpot overlay designed to deliver jackpot moments without adding operational complexity.
Launching as part of the RAWVerse ecosystem, RAW Riches introduces a new approach to jackpots, prioritising seamless integration, player engagement, and operator control.
A fully embedded experience
RAW Riches introduces a multi-tier progressive jackpot layer deployable across an operator’s entire portfolio, regardless of game supplier. Unlike traditional jackpot mechanics that require separate integrations or fragmented systems, RAW Riches operates as a fully embedded experience within the operator’s brand, creating a single, unified jackpot.
Tom Wood, CEO of RAW iGaming, said: “The industry built jackpots in silos. We built one that connects everything.
“RAW Riches gives operators a site-wide jackpot running across every entity and every game supplier, configured to their exact needs and brand, all from a single solution.
“We pride ourselves on producing the industry’s most distinctive and disruptive game concepts and RAW Riches is no different.
“This is the kind of product that changes how operators think about jackpots entirely.”
A seamless player experience
Players opt in and continue playing as normal. When triggered, the jackpot experience takes over instantly. Every trigger results in a win, with no losing outcomes, before the player is returned to their original game to continue playing.
Scaleable without complexity
RAW Riches solves one of the industry’s most persistent operational challenges in scaling jackpots across multiple providers, brands, and markets. Key features include:
-
Single deployment across all games and brands
-
Full operator control over jackpot configuration and branding
-
Multiple delivery options, including bespoke branded game builds
-
Seamless deployment within any existing RAW integration or delivery partner
RAW Riches is available today across regulated markets in Europe.
The post RAW iGaming unveils RAW Riches: A site-wide progressive jackpot overlay built for scale appeared first on Eastern European Gaming | Global iGaming & Tech Intelligence Hub.
-
Africa7 days agoQTech Games wins Leader in Online Casino at SBEA+ Eventus Awards 2026
-
Alex Malchenko Head of Sales at Evoplay7 days ago
Evoplay expands Brazil presence through Oleybet partnership
-
Australia7 days ago
IGS Awarded 15-Year Electronic Gaming Machine Monitoring Licence in Victoria
-
Africa7 days ago
GoldenRace brings In-Shop Mobile and virtual sports to iGaming Afrika Summit
-
Booming Games7 days ago
Booming Games launches Mr. Oinkster’s Power Hit slot
-
Betsson4 days ago
What the Betsson/Inter Milan case reveals about cross-border gambling branding when two restrictive regimes collide
-
Balkans4 days ago
CT Interactive Expands its Certified Portfolio in Bulgaria
-
Crash Games7 days ago
Bet on Games launches horror-themed crash title Zombie Rush
