Industry News
MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability
Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.
The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.
Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.
Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.
The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.
Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.
What is SQL Injection?
First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.
Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.
The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.
The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.
How we found this vulnerability
Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.
What’s the impact of the vulnerability?
The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:
By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.
The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.
Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.
What to do if you’ve been affected?
If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.
However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.
Disclosure and lack of communication from BigMage Studios
Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.
Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.
Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.
Powered by WPeMatico
CogniPlay has launched its new software product, which aims to provide a robust online sweepstakes or social gaming platform to its clients. The system is designed to be modular, allowing customers to tailor their brand and offering to what they believe will give them optimal performance.
The CogniPlay system has several key integrations which help to deliver the product, including games integrations with the likes of Pragmatic Play, BetSoft, Mascot Gaming and many more, giving them 100s of games for their clients. There are other integration options for their customers to pick from too, including affiliate programme software, CRM platforms and associated products, KYC, ID verification, Geo-IP systems, Gamification and customer support.
They also have a very long and extensive development pipeline which will see the product offering develop at pace, giving clients an extensive list of options and USPs, and of course giving players a great user experience as a result.
As well as the platform itself the CogniPlay team, due to their considerable experience, also offer a whole host of managed services, with almost a menu that clients can choose from to fill any gaps in their own skillsets or experience.
CogniPlay’s Chief Executive Officer Allan Turner said: “We are very proud to take the CogniPlay product to market and are excited that people who want to start a new social or sweeps brand can get in touch with us to see what we can do for them, or in fact established brands that are unhappy with their existing provider.
“Our underlying principles are that we want to provide the most flexible platform in the space, to enable our clients to create the product they want to have, not for us to dictate the product to them. The two other main areas of focus are that we want to be the most future-proof product on the market with plans for any regulatory or legal changes that may arise in the future, and that we have all the right safeguards in place to ensure that we look after both our clients and players with our responsible gaming setup. This of course means having the right tech and processes in the key areas of KYC, Geo-IP tech, anti-money laundering, fraud, risk assessment and ID verification.”
The post CogniPlay Launches New Social Casino Platform appeared first on European Gaming Industry News.
Hard Rock International
The Mirage Hotel & Casino to Begin Transformation into Hard Rock Las Vegas on July 17, 2024
Hard Rock International (HRI) announced its plans to cease operations of The Mirage Hotel & Casino as of July 17, 2024, to begin the transformation of the property into the highly anticipated Hard Rock Hotel & Casino and Guitar Hotel Las Vegas (HRHCLV).
Hard Rock will develop a new integrated resort featuring a nearly 700 ft. guitar-shaped hotel towering prominently in the center of the famous Las Vegas Strip.
“We’d like to thank the Las Vegas community and team members for warmly welcoming Hard Rock after enjoying 34 years at The Mirage. We’d also like to thank the Unions, community leaders, local and state government organizations and the Gaming Commission for their support and fair negotiations over the past year. Also, we are grateful to MGM for assisting with our transition,” Jim Allen, Chairman of Hard Rock International, said.
“While we pause for the incredible transformation of this iconic property, I’d like to thank all team members at The Mirage for their incredible commitment and helping us provide memorable experiences for our guests. We are planning to host collaborative hiring events with other employers in the Las Vegas community over the coming months. Connecting the thousands of talented Mirage team members who provide outstanding service with new employment opportunities is a top priority,” Joe Lupo, President of The Mirage, said.
HRHCLV is expected to double the current number of jobs at The Mirage for the Las Vegas community, while the renovation of the property will generate over 2500 construction jobs. Hard Rock will pay approximately $80 million in severance packages for eligible union and non-union employees remaining with the property through cessation of operations.
International Game Technology PLC has reported financial results for the first quarter ended March 31, 2024.
“Innovative game, hardware, and systems solutions drove better-than-expected Global Lottery and Gaming & Digital performance in the first quarter. As a result, we are upgrading our full-year 2024 revenue and profit goals, which reflect broad-based momentum across key performance indicators in the balance of the year. We continue to make progress on separating Global Lottery from Gaming & Digital and preparing for the proposed transaction with Everi,” Vince Sadusky, CEO of IGT, said.
Key Highlights:
- Announced Gaming & Digital business to be spun off and combined with Everi Holdings Inc.; transaction expected to close in late 2024/early 2025
- Recognised with top honours at ICE London 2024 awards programmes including “Lottery Product of the Year” and “Best Diversity and Inclusion Employer”
- Received a supply contract extension from the UK National Lottery
- Executed licensing agreement with the Maryland Lottery for IGT’s patented Cash Pop draw-based game
- Mystery of the Lamp named “Top Performing New Premium Game” at 2024 EKG Slot Awards Show
- Awarded contract to provide PeakDual 27 video lottery terminals across Quebec
- Launched iGaming content in Rhode Island
- Achieved AAA MSCI ESG rating, the highest rating possible, and earned a gold medal sustainability rating from EcoVadis.
“We delivered a record organic profit performance in the first quarter, if we exclude Separation & divestiture costs. The Company is operating from a position of strength with historically low net debt leverage, ample liquidity, and manageable near-term debt maturities,” Max Chiara, CFO of IGT, said.
The post IGT Reports First Quarter 2024 Results appeared first on European Gaming Industry News.
-
EurAsia6 days agoEvoplay expands footprint in Georgia with Europebet partnership
-
Balkans6 days ago
SOFTSWISS Expands to Bulgaria: European Growth Through Partnership
-
Christine A. Dorchak6 days ago
Greyhound Advocates Applaud Gov. Ned Lamont for Signing Bill to Outlaw Dog Racing
-
Latest News5 days ago
NIFL Strikes Exclusive Data & Streaming Deal With FeedConstruct
-
Aposta Ganha5 days ago
Aposta Ganha strengthens LatAm sports betting market integrity with IBIA membership
-
Eastern Europe5 days ago
TotalBet Joins Forces with Fast Track to Boost Player Engagement
-
Latest News6 days ago
ELA Games Announces New Slot Game – Big Wave Delight
-
Compliance Updates5 days ago
ITIA Bans Two Players for Corruption Linked to Belgian Syndicate
