Gaming is supposed to be a fun exercise but there are tens of thousands of gamers left feeling more than a tad disappointed after an extremely popular online gaming site misconfigured their Elasticsearch server that the site was placed on.
Showing More Than a Hand
Research outfit WizCase discovered the wide-open server, which provided no encryption of any kind or password protection measures, through a simple online search.
The group traced the trail to VIPGames.com, one of the most popular online free card and board game platforms. The platform has over 100,000 Google Play downloads and active players around the planet equalling around 20,000 individuals daily. Developed by a Bulgarian company, Casualino JSC, the company also runs similar gaming platforms such as VIPSpades.com, VIPBelote.fr, Belot.bg and others.
Gamers looking for simple games of Hearts, Rummy, Dominoes, Crazy Eights and Backgammon may have found much more was being laid on the table than their bets.
Access to All Tables
A total of 30GB of data has been leaked out of the platform in the snafu, including around 23 million records. In this huge data breach, there was unprotected access to 66,000 user profiles providing usernames, emails, device details, IP addresses, hashed passwords and social media IDs. On top of these detailed relating to in-game transactions, bets and banned player details.
Determined hackers could find the hashed passwords not an overly impossible task to crack, as they were hashed using the Bcrypt algorithm using 10 rounds. Any hacker with time on his hands can decrypt and then use these to access other sites and accounts used by the gamer.
No Bluff from a Threat Actor
The outfit pointed out that had a threat actor had accessed the data, a plethora of varied phishing attacks over email or phone could have been crafted to dupe the unsuspecting victim whose data was compromised. This also included potential blackmail scenario’s towards banned site members.
Banned gamers stand to have potentially sensitive details used for blackmail purposes from an attacker who can access their personal profiles. This opens them up for extortion or revenge. If a banned visitor has a documented reason for areas such as exhibitionism then they provide an avenue where an attacker can expose them without financial payout. As bans are also given down to moderator discretion, a player’s reputation can also stand to have harm done if such an accusation is without merit.
Users of the site have been advised not to reuse older passwords and use a password manager for future site visits to better keep tabs on identity management, and to be cautious whenever in receipt of unsolicited phone calls and emails in not responding or providing any information.