Zero day holes found in popular online games

Powered by SC Magazine
 

Details to be disclosed at BlackHat.

Zero day vulnerabilities have been discovered in popular online games that give attackers access to credit card and user data, researchers claim.

The remote code execution holes were discovered by Italian researchers Luigi Auriemma and Donato Ferrante who operate subscription vulnerability service Revuln. 

Auriemma

Attackers could siphon credit cards from several "big" online multiplayer games where users make in game purchases.

"One of the possible things that can be achieved is for instance installing malware on a remote system and having this system joining a botnet, composed by all the players of the vulnerable games," the researchers told SC.

"Moreover if you think about the free-to-play marketing strategy they usually have a micro-transaction based system, in which players can buy in-game objects by paying via credit cards. So potentially an attacker can be able to steal credit cards information too.

"Most of the remote code execution vulnerabilities may be used to achieve such goals."

The security posture of online multiplayer games was weak, primarily because software companies were focused on making their products feature-rich and enjoyable.

"Companies working in the games market don't like to invest in making their software secure, they are more concerned about people cheating than having their customers compromised by a security vulnerability."

The surfeit of complex features made the platforms vulnerable, notably those written in C/C++ which was prone to security issues including buffer overflows to format string bugs.

Auriemma will detail the holes and name the affected companies at the BlackHat security conference in Europe next year.

He will reveal the holes without informing the vendors, known as full disclosure, stating that gaming vendors were usually unresponsive to tip-offs.

Auriemma revealed scores of bugs affecting SCADA systems, through to televisions under the practise, but had used bug bounty services like the ZDI initiative in reporting severe flaws including the much-hyped RDP vulnerability to Microsoft.

"... Most of the vendors don't seem to care about security issues in their products," they said. 

However Auriemma had developed many free unofficial patches that were later adopted by affected gamers. 

The Revuln duo had revealed flaws in gaming platforms including Steam, Call of Duty and Crysis (pdf).

Copyright © SC Magazine, Australia


Zero day holes found in popular online games
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 328

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 136

Vote