Connect with us
Prague Gaming & TECH Summit 2025 (25-26 March)

Industry News

MMO game Street Mobster leaking data of 1.9 million users due to critical vulnerability

Published

on

Reading Time: 3 minutes

Attackers could exploit the SQL Injection flaw to compromise the game’s database and steal user data.

The CyberNews.com Investigation team discovered a critical vulnerability in Street Mobster, a browser-based massively multiplayer online game created by Bulgarian development company BigMage Studios.

Street Mobster is a free to play, browser-based online game in the mafia empire genre where players manage a fictional criminal enterprise. The game boasts a 1.9+ million player base and stores a user record database that can be accessed by threat actors by committing an SQL Injection (SQLi) attack on the game’s website.

Other games created by BigMage Studios are also potentially vulnerable to the same type of attack, which means that there is a possibility that even more users might be at risk.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)

The records that can be compromised by exploiting the SQLi vulnerability in Street Mobster potentially include the players’ usernames, email addresses, and passwords, as well as other game-related data that is stored on the database.

Fortunately, after we reported the vulnerability to BigMage Studios, CERT Bulgaria, and the Bulgarian data protection authority, the issue has been fixed by the developers and the user database is no longer accessible to potential attackers.

What is SQL Injection?

First found back in 1998, SQLi is deemed by the Open Web Application Security Project (OWASP) as the number one web application security risk.

Even though this vulnerability is relatively easy to fix, researchers found that 8% of websites and web applications are still vulnerable to SQLi attacks in 2020. Which, from a security perspective, is inexcusable. So much so, in fact, that UK internet service provider TalkTalk was hit with a record £400,000 fine over succumbing to a cyberattack that involved SQLi.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)

The vulnerability works by injecting an unexpected payload (a piece of code) into the input box on the website or in its URL address. Instead of reading the text as part of the URL, the website’s server reads the attacker’s payload as code and then proceeds to execute the attacker’s command or output data that would otherwise be inaccessible to unauthorized parties. Attackers can exploit SQLi even further by uploading pieces of code or even malware to the vulnerable server.

The fact that Street Mobster is susceptible to SQLi attacks clearly shows the disappointing and dangerous neglect of basic security practices on the part of the developers at BigMage Studios.

 

How we found this vulnerability

Our security team identified an SQL Injection vulnerability on the Street Mobster website and were able to confirm the vulnerability by performing a simple command injection test on the website URL. The CyberNews team did not extract any data from the vulnerable Street Mobster database.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)

What’s the impact of the vulnerability?

The data in the vulnerable Street Mobster database can be used in a variety of ways against the players whose information was exposed:

By injecting malicious payloads on Street Mobster’s server, attackers can potentially gain access to said server, where they can install malware on the game’s website and cause harm to the visitors – from using the players’ devices to mine cryptocurrency to redirecting them to other malicious websites, installing malware, and more.

The 1.9 million user credentials stored on the database can net the attackers user email addresses and passwords, which they can potentially use for credential stuffing attacks to hack the players’ accounts on other gaming platforms like Steam or other online services.

Because Street Mobster is a free-to-play game that incorporates microtransactions, bad actors could also make a lot of money from selling hacked player accounts on gray market websites.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)

What to do if you’ve been affected?

If you have a Street Mobster account, make sure to change your password immediately and make it as complex as possible. If you’ve been using your Street Mobster password on any other websites or services, change that password as well. This will prevent potential attackers from accessing your accounts on these websites in case they try to reuse your password for credential stuffing attacks.

However, it’s ultimately up to BigMage Studios to completely secure your Street Mobster account against attacks like SQLi.

Disclosure and lack of communication from BigMage Studios

Following our vulnerability disclosure guidelines, we notified the BigMage Studios about the leak on August 31, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)

We then reached out to CERT Bulgaria on September 11 in order to help secure the website. CERT contacted the BigMage Studios and informed the company about the misconfiguration.

Throughout the disclosure process, BigMage Studios stayed radio silent and refused to get in touch with CyberNews.com. Due to this reason, we also notified the Bulgarian data protection agency about the incident on October 9 in the hopes that the agency would be able to pressure the company into fixing the issue.

Eventually, however, BigMage Studios appear to have fixed the SLQi vulnerability on streetmobster.com, without informing either CyberNews.com or CERT Bulgaria about that fact.

 

Source

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)
Continue Reading
Advertisement

Industry News

New KSA Campaign: Get Your Life Back on Track, Take a Gambling Break

Published

on

new-ksa-campaign:-get-your-life-back-on-track,-take-a-gambling-break
Reading Time: < 1 minute

 

The Dutch Gaming Authority (KSA) launched a new awareness campaign to draw attention to the gambling stop. With the campaign “Pick up your life again, take a gambling stop,” KSA is aiming to increase attention to the risks of gambling and make the Cruks register more well-known.

Insights

The campaign is a follow-up to the pilot campaign from 2023. This pilot yielded many valuable insights, for example that more people are attracted to the word gambling stop. This name is therefore used in the new campaign.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)

Positive effect

The campaign focuses primarily on young adults who (possibly) no longer have their gambling under control. That is one of the reasons why the campaign is largely running via social media instead of traditional (mass) media. The focus is on the positive effect that a gambling stop has on the life of a person with gambling problems. The powerful moments of young people who pick up their lives again can be seen in online videos, social ads and social posts (Google, YouTube, Meta and Snapchat).

The post New KSA Campaign: Get Your Life Back on Track, Take a Gambling Break appeared first on European Gaming Industry News.

Continue Reading

Industry News

EGBA: Record Participation As European Safer Gambling Week Expands to 26 Countries

Published

on

egba:-record-participation-as-european-safer-gambling-week-expands-to-26-countries
Reading Time: 2 minutes

 

The European Gaming and Betting Association (EGBA) announced record-breaking results from its fourth annual European Safer Gambling Week, held 18-24 November. The initiative – which included a social media campaign and events programme – demonstrated the broader European sector’s strengthening commitment to safer gambling through new levels of participation and expanded geographic reach.

The campaign saw record engagement with 195 partners actively participating – a 20% increase from 2023. Eight national gambling authorities participated, more than double the previous year, by either joining the social media campaign or speaking at the various events.

The campaign’s reach also expanded significantly to 26 countries – a 30% increase from 2023 – with partners in Croatia, Serbia, Slovakia and Ukraine joining for the first time, reflecting the growing pan-European dimension of the campaign. This was helped by social media graphics being made available in the local languages of 27 countries.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)

The social media campaign reached 3.1 million users across Facebook, Instagram, LinkedIn and X platforms, generating 1169 social media posts – a 67% increase from the previous year.

A cornerstone of this year’s campaign was its comprehensive events programme, featuring 20 specialised events – an 11% increase from 2023. The events attracted record participation with 4500 registrations and 3000 attendees. Key discussions explored trends in AI, problem gambling prevalence reporting and innovations in safer gambling tools and messaging. The events featured 105 speakers, including senior representatives from gambling authorities in Belgium, Denmark, France and the UK.

The initiative builds on EGBA members’ year-round commitment to safer gambling, which in 2023 resulted in 67 million safety messages sent to their European customers. This dedicated week amplifies these ongoing efforts while encouraging greater collaboration between operators, regulators and harm prevention organisations.

“The success of this year’s edition reflects the sector’s deepening commitment to player protection. The significant increase in participation, especially from health organisations and regulatory authorities, demonstrates the common purpose and growing unity in our approach to safer gambling. Through this collaboration, we’ve reached a record number of Europeans with crucial safety messages during the campaign. Together, we’re making gambling safer and we already look forward to building on this success in next year’s edition,” said Maarten Haijer, Secretary General of EGBA.

The post EGBA: Record Participation As European Safer Gambling Week Expands to 26 Countries appeared first on European Gaming Industry News.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)
Continue Reading

Industry News

CT Gaming to Participate in ICE Barcelona 2025

Published

on

ct-gaming-to-participate-in-ice-barcelona-2025
Reading Time: 2 minutes

 

CT Gaming is going to participate in ICE Barcelona 2025, which will take place from 20 to 22 Jan 2025.

“It is always a pleasure to kick off the year at ICE. This year is particularly special as we explore a new location, which we anticipate will bring fresh connections and exciting opportunities,” said Biser Bozhanov, Director of Business Development and Strategies at CT Gaming.

Positioned at stand #3C56, CT Gaming will present an impressive lineup of its signature products alongside exciting new additions, including the multigame Diamond King 4.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)

“We are eager to showcase our latest offerings and engage with clients, colleagues, and industry professionals to gather their valuable feedback. This year’s selection is a strong testament to CT Gaming’s enduring legacy and commitment to excellence,” added Bozhanov.

Among the products displayed at stand #3C56 will be the slot cabinet NEXT, known for its ultimate comfort and functionality. This cabinet comes with 27″ or 32″ high-definition screens, an optional premium stand, a USB phone charger, a bill validator with a stacker and an enlarged CMS panel for seamless operation. Other representatives from the slot cabinet family are EZ Modulo 32/32/32 and EZ Tower. Both of these cabinets combine sleek designs with advanced technology set to deliver an unparalleled gaming experience.

Alongside the slot cabinets, the company will showcase its staple multigame titles, such as Diamond King 3, Mermaid’s Quest, Tower Link and the newest addition to the multigame portfolio – Diamond King 4. With 40 exciting games, 20 of which are linked to a progressive jackpot, the multigame takes player engagement to new heights. Unlike previous versions, players can now win any of the three jackpot levels directly from the base game, while the cascading white and pink diamonds promise thrilling rewards at every turn. Designed with the next generation of players in mind, Diamond King 4 features enhanced graphics, modern themes and an immersive experience that’s perfectly in sync with today’s gaming landscape. The newly conceptualized linked progressive jackpot, Diamond Tree Deluxe, presents an elevated reward experience with its upgraded features.

Last but not least, CT Gaming will unveil the latest updates to its Casino Management System – Rhino, designed to enhance operator functionality and player engagement.

The post CT Gaming to Participate in ICE Barcelona 2025 appeared first on European Gaming Industry News.

Advertisement
European Gaming Congress 2024 (Warsaw, Poland)
Continue Reading

Trending