Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Powered by WPeMatico
Gaming and Leisure Properties Inc. announced that Debra Martin Chase has been appointed to the Board of Directors as a new independent director, effective immediately, to fill the vacancy created by the previously disclosed passing of JoAnne A. Epps.
The appointment of Ms. Chase to the Board of Directors brings the total number of directors to eight, seven of whom are considered independent according to the listing standards of the Nasdaq Stock Exchange. Ms. Chase has also been appointed as a member of the Nominating and Corporate Governance Committee of the Board of Directors, effective immediately. Ms. Chase will hold her directorship until the Company’s next annual meeting of shareholders or until her successor is duly elected and qualified or until her earlier death, disqualification, resignation, or removal.
Ms. Chase is the founder and Chief Executive Officer of an entertainment production company doing business as Martin Chase Productions. She is a two-time Tony Award winning, a Peabody Award winning, and three-time Emmy nominated television, motion picture, and Broadway producer. Ms. Chase is an entertainment industry trailblazer, being the first female African American producer to have a deal with a major motion picture studio. Her films have grossed over $500 million at the box office. She brings to the Company over 30 years of experience in motion picture and television production as well as a corporate legal background.
Peter Carlino, Chairman and Chief Executive Officer of GLPI, said: “I am delighted to welcome Debra to our Board as we believe her extensive entertainment industry experience, impressive legal background and broad board experience across public companies and the arts will serve GLPI well as we continue to drive growth in shareholder value. She brings a wealth of knowledge to GLPI, which we believe is a perfect complement to the existing strengths of the Board. I am confident that she will help expand the diverse set of viewpoints that ultimately shape our mission.”
Kindred Group plc’s (Kindred) share of revenue from high-risk players showed a slight increase to 3.2% (Q4 2023 3.1%) in the first quarter of 2024. Compared to the first quarter of 2023, the high-risk revenue share decreased marginally. The percentage of detected customers who exhibited improved behaviour after interventions came in at 87.1% (compared to 87.4% in Q4 2023 and 83.0% in Q1 2023). This sustained trajectory in the improvement effect after interventions, observed over an extended period, serves as a testament to the strong dedication and collective efforts throughout the company. It reflects Kindred’s ongoing commitment to fostering positive change within the industry.
“We continue to see our share of revenue from high-risk players fluctuate quarter to quarter, and we are working closely with all teams across the company to support customers towards a more sustainable gambling experience. However, it is encouraging to see that our Journey towards Zero data has steadily decreased since 2020. A similar trend can be seen across the healthier gambling behaviour effect after interventions. This tells us two things: our work is paying off, but we need to continue to push ourselves to propel a sustainable progression,” Alexander Westrell, Director of Communications at Kindred Group, said.
“It was very encouraging to witness the open and transparent discussions at the Sustainable Gambling Conference in London on 20 March, where those with lived experience shared their important stories. Also, it is evident that technology is moving forward, and will provide greater opportunities to detect and intervene in the future. We hope to see more regulators engage with the industry and with experts to secure a more sustainable industry for everyone,” Alexander Westrell added.
The post Kindred’s Share of Revenue from High-risk Players Shows Slight Increase appeared first on European Gaming Industry News.
PENN Entertainment announced that Aaron LaBerge has been named Chief Technology Officer (CTO) effective July 1, 2024, subject to customary regulatory approvals. Mr. LaBerge will report directly to PENN CEO & President Jay Snowden.
In his new role, Mr. LaBerge will be responsible for driving the technology strategy and execution for PENN, while leading the multinational team of technologists and serving as the key business leader for the company’s Interactive division.
Mr. LaBerge spent more than 20 years at The Walt Disney Company, in two stints separated by five and a half years as a technology entrepreneur. He was most recently President & Chief Technology Officer for Disney Entertainment and ESPN where he was responsible for driving all technology and product development in support of The Walt Disney Company’s two media divisions. In that role, he helped set the vision and strategic leadership for how Disney uses technology to enable storytelling and innovation, drive its business, and create unparalleled consumer experiences with entertainment and sports content.
“We are thrilled to have someone of Aaron’s caliber join our PENN executive team. Having overseen a global organization of thousands of engineers, product developers, designers, technologists, and data scientists that created some of the largest scale and most successful media properties in the world, there is no better candidate to lead our Technology and Interactive division into its future. I know Aaron is looking forward to working with Todd George, our head of operations, and our entire Executive Team to continue growing our position as a leader in online gaming, sports betting, and digital sports media,” Mr. Snowden said.
“I’m excited to join another talented team at PENN Interactive and lead our technology strategy. PENN Entertainment is at the forefront of the fast-changing gaming and sports media industry. I plan to use my experience from Disney and ESPN to help make ESPN BET an essential piece of the sports fan experience. Together, we’ll push the limits and redefine how fans interact with sports and gaming,” Mr. LaBerge said.
Prior to his most recent role at the Walt Disney Company, Mr. LaBerge was Executive Vice President and Chief Technology Officer at ESPN from 2015 to 2018. At ESPN he played an instrumental role in the growth of ESPN’s consumer-facing digital media products and services – leading many of ESPN’s most ambitious and challenging projects and helping establish ESPN’s position as the leader in digital sports and innovative sports technology development. He was a key architect in the design, development, and engineering of ESPN’s state-of-the-art facilities in Bristol, CT; Los Angeles, CA; Charlotte, NC; and Austin, TX, as well as data centers and infrastructure that connect those facilities around the world, as well as the technology design and development to support the launch of the multi-platform SEC Network.
Between 2007 and 2012, LaBerge was co-founder and CEO of Fanzter, Inc. – a venture-funded consumer software and digital product development company. At Fanzter, he directed all day-to-day operations and led the development and launch of a variety of consumer-focused internet and mobile products, ground-breaking social and commerce technologies and more.
The post PENN Entertainment Names Aaron LaBerge as Chief Technology Officer appeared first on European Gaming Industry News.
-
Central Europe6 days agoAleatrust Signs Up as Supporting Member of the Austrian Sports Betting Association
-
Latest News6 days ago
Week 16/2024 slot games releases
-
Central Europe6 days ago
Wazdan amplifies Swiss presence with Swiss4Win launch
-
Compliance Updates6 days ago
Elys BMG Group Announces Approval for The Ugly Mug Sportsbook in Washington, DC.
-
Brazil6 days ago
PG Soft Set to Sponsor Key SiGMA Americas Event
-
Amusnet6 days ago
Amusnet Brings Up its Excellence at SiGMA Americas
-
Latest News6 days ago
Bet365 Debuts its Bespoke Live Game Show Super Mega Ultra in Collaboration with Playtech
-
Aviatrix6 days ago
Aviatrix and Vibra Solutions Agree Partnership with Focus on Latin America
