Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Powered by WPeMatico
Dr. Helmut Becker, CEO of ZEAL Network, has informed the Supervisory Board of the company of his decision not to extend his contract, which runs until January 31, 2026. The 56-year-old has decided to pursue his own entrepreneurial activities in the future after many years as a top manager. Dr Becker will then leave the company after more than twelve years on the Executive Board of ZEAL Network SE, including more than ten as CEO. He will remain fully committed to ZEAL as CEO until the end of his contract term and will ensure a smooth transition of his duties to a successor.
“ZEAL is in an excellent position to continue to grow in the future. After almost ten years as CEO, I have decided that now is the right time to pursue my own entrepreneurial endeavours. This has been a difficult decision for me. I will especially miss our exceptionally strong team and the unique culture we have built together, characterised by innovation, customer focus and team spirit. I will continue to work hard until the end of my term to achieve the goals we have set together,” said Dr Becker.
Dr Becker informed the Supervisory Board of ZEAL Network SE about his decision at an early stage, and the Supervisory Board will immediately initiate a structured process for the succession of the CEO.
Peter Steiner, Chairman of the Supervisory Board, said: “The Supervisory Board of ZEAL Network SE has noted with great regret Helmut Becker’s decision not to seek a contract extension. Helmut Becker has played a decisive role in taking ZEAL’s business development to a new level. Under his leadership, ZEAL has established itself as a market leader in the online lottery market, significantly expanded its customer base and crucially broadened its offering through innovative product development. On behalf of the Supervisory Board, I would like to thank him for his outstanding commitment and strategic vision. We wish him all the best for his personal life and professional career.”
Dr Becker has been CEO of ZEAL Network since September 1, 2015, after serving as Chief Marketing Officer (CMO) for over two years. Prior to joining the Executive Board, he was a member of the Supervisory Board of ZEAL for two years. Previously, he served as Chief Commercial Officer on the Management Board of XING AG and held various management positions at eBay Germany and as a management consultant at McKinsey. As CEO, Dr Becker was responsible for the acquisition of LOTTO24 AG, the return of ZEAL to Germany and the expansion of the portfolio to include freiheit+, Games and Traumhausverlosung.
The post ZEAL Network CEO Helmut Becker Will Not Extend His Contract Beyond January 2026 appeared first on European Gaming Industry News.
Gamblorium, a trusted online casino affiliate platform, announces its new and improved casino rating system. This updated system is designed to give players even more accurate and transparent rankings for online casinos. Since 2020, Gamblorium has been known for providing honest and expert-tested casino reviews. With this updated rating system, Gamblorium continues to ensure players can easily find the best gambling sites.
The new rating system combines three key components: Gamblorium Score, Player Score and Market Score. These scores are based on a 100-point scale, providing players with a clear and reliable way to choose casinos that meet their preferences.
Main features of Gamblorium’s new rating system:
• Gamblorium score: The Gamblorium Score evaluates casinos based on over 100 criteria, including payment methods, game options, security and user experience. Unlike other platforms, Gamblorium uses a relative and flexible approach, meaning casinos are ranked based on their strengths within their market. This score also incorporates Expert Scoring, ensuring that the most important factors are weighted appropriately.
• Player score: The Player Score is based on feedback from real users. Players can leave reviews only if they have registered or played at the casino, ensuring honest and up-to-date feedback. This makes the reviews highly reliable and reflective of the actual player experience.
• Market score: The Market Score helps balance the overall rating by considering the views of other trusted gambling platforms. This adds another layer of objectivity and ensures that Gamblorium’s reviews remain fair and unbiased.
The post Gamblorium Enhances Casino Reviews with Updated Rating System appeared first on European Gaming Industry News.
Industry News
CT Interactive Appoints Dimitar Raychev as Technical Support Specialist for Online Services
CT Interactive has appointed Dimitar Raychev as Technical Support Specialist for Online Services.
Over the years, Dimitar has worked with various platforms such as AWS, Active Directory and SAP, allowing him to acquire deep knowledge and skills in managing infrastructures and automating processes. Thanks to his expertise, he has helped many organisations optimise their systems and maintain high levels of efficiency.
“We are thrilled to welcome Dimitar Raychev to the CT Interactive team, where he will take on the role of Technical Support Specialist for Online Services. Dimitar brings extensive experience in providing technical support to global clients, successfully diagnosing and resolving issues with software, hardware and network systems. His commitment to quality service and the technical skills he possesses make him a valuable asset. We look forward to leveraging his knowledge and continuing to provide our clients with impeccable service and support,” the company said.
The post CT Interactive Appoints Dimitar Raychev as Technical Support Specialist for Online Services appeared first on European Gaming Industry News.
-
Canada5 days agoOnline casino with a Nordic twist enters yet another market as it continues to deploy its ambitious international expansion plans
-
Gurhan Kiziloz6 days ago
From $400M to $1.45B: Exploring Gurhan Kiziloz’s Strategic Expansion in Online Gaming
-
Canada7 days ago
GiG Launches Fourth Partner into Ontario as PowerPlay Enhances Its Gaming Experience with GiG’s Formidable Combination of Proprietary Platform, Sportsbook and AI technology
-
Aristocrat Interactive3 days ago
Aristocrat Interactive Delivers Custom Branded Game “Caesars Ultimate Stars” for Caesars Sportsbook & Casino
-
4ThePlayer5 days ago
4ThePlayer Games Secures Certification for the Brazilian Market!
-
Compliance Updates6 days ago
Ukraine Creates New Agency Named “PlayCity” to Control Gambling and Lotteries
-
Latest News6 days ago
Gurhan Kiziloz’s $400 Million Gambling Empire: A Detailed Look
-
Asia6 days ago
Parimatch Hosts Rooftop Meet & Greet with Sunil Narine
