/>
X

Chinese developers expose data belonging to Android gamers

In the end, Hong Kong CERT was contacted in an attempt to resolve the security issue.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on

The Chinese developers of popular Android gaming apps exposed information belonging to users through an unsecured server.

In a report shared with ZDNet, vpnMentor's cybersecurity team, led by Noam Rotem and Ran Locar, revealed EskyFun as the owner of a 134GB server exposed and made public online.

EskyFun is the developer of Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M.

On Thursday, the team said that users of the following games were involved in the data leak: Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok. Together, they account for over 1.6 million downloads.  

In total, the team said that an alleged 365,630,387 records contained data from June 2021 onward, leaking user data collected on a seven-day rolling system.

The team says that the developers impose "aggressive and deeply troubling tracking, analytics, and permissions settings" when their software is downloaded and installed, and as a result, the variety of data collected was, perhaps, far more than you would expect mobile games to require. 

The records included IP and IMEI numbers, device information, phone numbers, the OS in use, mobile device event logs, whether or not a handset was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords stored in plaintext, and support requests, among other data. 

screenshot-2021-08-26-at-11-10-25.png
vpnMentor

vpnMentor suspects that up to, or more than, one million users may have had their information exposed. 

The unsecured server was discovered on July 5 and EskyFun was contacted two days later. However, after receiving no response, vpnMentor made a second attempt on July 27. 

Continued silence required the team to also reach out to Hong Kong CERT and the server was secured on July 28. 

"Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users," the researchers commented. "Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse."

ZDNet has reached out to EskyFun and we will update when we hear back.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Related

OpenAI spent $160,000 on Upwork for Minecraft gamers to train a neural net
minecraft-hero.png

OpenAI spent $160,000 on Upwork for Minecraft gamers to train a neural net

AI & Robotics
How to merge duplicate contacts in Android
The Contacts app in the Android App Drawer.

How to merge duplicate contacts in Android

Android
Google looks to reduce pushback bias in developers' software code review
close up programmer man hand typing on keyboard at computer desktop for input coding language to software for fix bug and defect of system in operation room , technology concept

Google looks to reduce pushback bias in developers' software code review

Developer