Jamf Threat Labs uncovers mobile app game leaking player credentials

Author: Michal Rajčan

World of Warships Blitz is an online, multiplayer mobile app game where users assume control of different warships from the early- to mid- 20th century. Players can customize and improve their fleet from both points earned during gameplay and from in-app purchases. The Android version has more than 150,000 active users and 10 million app downloads.

Earlier this year, the Jamf Threat Labs team found that Wargaming’s mobile app game, World of Warships Blitz, was leaking player credentials. Both the Android and iOS versions were affected by this issue, but we have found no other game from the developer leaking any kind of data.

What did Jamf Threat Labs find?

Jamf Threat Labs observed and confirmed that the app leaks credentials via unencrypted communication to one specific domain during the login and registration phase. All other communication is happening via an encrypted channel; hence it does not leak any data.

Data leaked during several requests contain:

• Obfuscated user login

• Obfuscated password

• Session cookie

• IP address of the user

• Device HW specification

• JWT token (leaks Base64 encoded user login email)

• Authentication token

• Wargaming ID

• Hardware ID

• Remember me token

• User nickname

We can see effort to protect user data from compromise as it is not being sent in clear form, but such effort is short lived because of easy replay attacks. Such an attack relies on capturing legitimate traffic data and sending it again to the server. Even though credentials are obfuscated and not visible to the attacker, they can send a new request with obfuscated data and gain access to the account. Especially if session token cookie is also being leaked with the same request.

The data leak outlined above can be misused in replay attacks. According to the National Institute of Standards and Technology SP 800-63-4, a replay attack is, “An attack in which the attacker is able to replay previously captured messages between a legitimate claimant and a verifier to masquerade as that claimant to the verifier or vice versa.” For example (presuming no replay attack protections are in place), if a user logs in to their bank account, during a replay attack, the attacker records and resends that login request to repeat the action. With captured details of the login, they can send the message again to gain access to the victim’s account.

World of Warships response

The Jamf Threat Labs team contacted the developer in early August with our findings and based on our discussion agreed on a prolonged responsible disclosure period, giving them the requested time to fix the issue.

The developer was responsive and cooperative in regard to fixing the issue. The credentials leak was fixed in version 8.4.0.

How did we find the leak?

Jamf Threat Labs has set up different alerts to detect this data leak with threat prevention policy available in Jamf for Mobile.

One of our alerts was triggered while users were connecting to the game via the app. At this point, we detected potential leaks of their credentials.

Risks for the players

Personal risk comes in the form of an account takeover. As documented on the game creator’s website, users cannot transfer their funds to different accounts, but users can transfer items between their accounts are on different servers. While there are conditions that must be met to achieve this transfer, with access to a compromised account, an attacker can impersonate the user and transfer funds.

Another risk of attackers taking hold of an account is to halt a player’s progress in the form of spending their earned or purchased in-game currency into items and/or research which does not benefit their play. Subsequently, this risk might come in form of ransom if an attacker threatens the player with these steps unless a real-life payment is made.

Conclusion

While the leak we found above is not that of a “business application,” there are still steps organizations can take toward user awareness and cyber defense. For example, Jamf Threat Labs data shows that company email addresses are used for personal accounts. The good news is that this practice is declining, and the number of employees using work emails for personal reasons is minimal. To reduce business risk coming from apps outside of business use, organizations must educate users about proper password hygiene and email account usage.

Usually, data leaks are only the initial vector for a targeted phishing campaign. These types of campaigns are more sophisticated than run-of-the-mill phishing campaigns, and often, are more successful.

With previously collected information, attackers can focus on social engineering techniques on the user — who they work for, their interests, the apps they use — to further personalize a phishing (or other social engineering) attack.

For example, researchers at Google Threat Intelligence found attackers “deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal.” By tricking users to install a malicious Salesforce app, attackers gained access to the customer’s Salesforce account.

But there are other common reasons to pay attention to data leaks:

• Even popular developers can make mistakes. In fact, according to NIST Special Publication 800-124r2, “In the case of typical software, errors and vulnerabilities exist at an estimated frequency of ~25 errors per 1000 lines of code.”

• This leak reinforces the need for organizations and consumers to layer defense protection. Relying only on the security of the host app creates opportunities for attackers.

We appreciate the Wargaming team’s effort and collaboration during this process. While the specific vulnerability discussed above has now been patched, this post helps inform businesses and users about the types of threats and techniques attackers employ to steal data and sensitive information.