WizCase discovered an unsecured ElasticSearch server owned by AMT Games that leaked user profiles, feedback messages, and transactions.
The researcher discovered that the information stored in the ElasticSearch server was not secured or encrypted. The server was not secured with a password even though the ElasticSearch was used by AMT Games to store player’s information and payment history of more than 6 million Battle for the Galaxy players.
AMT Games Ltd is developed by Chinese developers of famous browser-based and mobile games. The firm develops android mobile games, iPhone applications, Steam, and web browsers.
Some of the popular games developed by AMT Games are Heroes of the War: WW2 Idle RPG, Battle of the Galaxy, Trench Assault, and Epic War TD2.
According to the research, the ElasticSearch server stored 5.9 million player profiles, 587,000 feedback messages, 2 million transactions, and information such as the item purchased, prices, payment provider, time of purchase, etc cases the server also stored the IP address of the buyer.
Information such as the Player’s username, ID, country, and total money spent by the players was also stored on the server. If players were logged in using their social profiles such as Facebook, Apple, and Google, all the data was stored on the server.
If accessed by hackers or malicious actors, the leaked data could lead to serious cyber fraud and could enable them to conduct phishing activities by targeting gamers. The worst-case that could happen is hackers can exclude the gamer’s sensitive bank details.
WizCase commented, “The email addresses and specific details of user issues with the service such as in transactions and developer messages could allow bad actors to pose as game support and direct users to malicious websites where their credit card details can be stolen.”
“With data on how much money has been spent per account, these conmen could target the highest-paying users, many of whom are children judging by their game history, time spent in the game, circle of friends in-game, etc. and have an even higher chance of success than they would otherwise. With these emails, competing games could attempt to migrate or target users with advertising and email campaigns.”
Principal Security strategist at the Synopsys CyRC, Tim Mackey, claimed that the instance of data leak is yet another example of the drawback of a company storing huge data in an unsecured database. Several potential solvents can be applied to avoid unfortunate incidents but the simplest solution is to define an exception-based update module for configuration setting.
He commented, “Under this model, an audit level review of configuration data is performed to create a set of approved configuration settings and files. Any update to those previously approved settings then requires that same audit level review for the changes, and the current configuration is always validated against approved settings.”
“While there are several technologies that can be used to implement exception-based updates, this is a case where a well-defined process with automated checks is far more valuable than the technology implementing the process.”
According to the product manager at comfort AG, Trevor Morgan, commented that online gamers should practice caution before sharing personal information on an online gaming site.
He adds, “The linkages that users set up—often using their social media account credentials to create gaming accounts and profiles—capture a much larger swath of usable information for threat actors, enabling the targeting of users who spend larger amounts of money on the game. Gamers need to be aware of the types of data they are giving to the game directly or through linking accounts, and they need to hold game developers and hosting companies accountable for protecting it.”
“On the other side of that coin, gaming organizations need to take data privacy much more seriously, building into their data infrastructures more than just the bare minimum level of security. Given that they collect potentially valuable data from users, their strategy should be data-centric, with an assumption that threat actors might try to get to this cache of information.”