Security researchers at WizCasediscovered an unsecured ElasticSearch server owned by AMT Games that exposed user profiles, transactions and feedback messages
The researchers discovered that data stored in the ElasticSearch server was not encrypted and nor was the server secured with a password, even though AMT Games used the server to store profile information, payment history, and feedback messages of millions of Battle for the Galaxy players.
AMT Games Ltd. is a China-based developer of popular mobile and browser-based online games, developing gaming apps for Android, iPhone, Steam, and web browsers. Some of the popular games developed by the company include Battle for the Galaxy, Heroes of War: WW2 Idle RPG, Epic War TD2, and Trench Assault.
According to the researchers, the unsecured ElasticSearch server contained 5.9 million player profiles, 2 million transactions, 587,000 feedback messages, and transaction data such as price, item purchased, time of purchase, payment provider, and in some cases IP address of the buyer.
The server was also found storing player profile data such as player IDs, usernames, country, total money spent on the game, as well as Facebook, Apple, and Google account data if the user linked either account with their game account. The exposed data, if accessed by malicious actors, could enable them to conduct spear-phishing campaigns to target online gamers and dupe them into sharing their credit card information.
“The email addresses and specific details of user issues with the service such as in transactions and developer messages could allow bad actors to pose as game support and direct users to malicious websites where their credit card details can be stolen,” WizCase warned.
“With data on how much money has been spent per account, these conmen could target the highest-paying users, many of whom are children judging by their game history, time spent in game, circle of friends in-game, etc. and have an even higher chance of success than they would otherwise. With these emails, competing games could attempt to migrate or target users with advertising and email campaigns.”
Commenting on the exposure of yet another instance of a company storing vast amounts of data in an unsecured database, Tim Mackey, principal security strategist at the Synopsys CyRC, said that with the prevalence of misconfigured databases, it’s clear that some teams lack the ability to confirm they are using a secure configuration for their production systems. There are a number of potential remedies, but one of the simplest is to define an exception based update model for configuration settings.
“Under this model, an audit level review of configuration data is performed to create a set of approved configuration settings and files. Any update to those previously approved settings then requires that same audit level review for the changes, and current configuration is always validated against approved settings.
“While there are a number of technologies that can be used to implement exception based updates, this is a case where a well defined process with automated checks is far more valuable than the technology implementing the process,” he added.
According to Trevor Morgan, product manager at comforte AG, online gamers should practice caution when sharing their personal data with game developers as any breach, cyber attack, or data leak can result in their data falling in the hands of malicious actors.
“The linkages that users set up—often using their social media account credentials to create gaming accounts and profiles—capture a much larger swath of usable information for threat actors, enabling the targeting of users who spend larger amounts of money on the game. Gamers need to be aware of the types of data they are giving to the game directly or through linking accounts, and they need to hold game developers and hosting companies accountable for protecting it.
“On the other side of that coin, gaming organizations need to take data privacy much more seriously, building into their data infrastructures more than just the bare minimum level of security. Given that they collect potentially valuable data from users, their strategy should be data-centric, with an assumption that threat actors might try to get to this cache of information,” he says.
SiGMA Roadshow: Next stop Germany
Join us virtually for two engaging hours bursting with insightful conference content and new business opportunities. These unique, interactive, virtual mini-conferences will take place in a different country every month. The stop of next month will be Germany, join the conversation. We’ll be covering various topics from localisation of content to regulation trends. Register now!