A popular Chinese mobile game developer has unwittingly exposed the data of numerous players. The developer is EskyFun, most known for their Android games Rainbow Story: Fantasy MMORPG and Dynasty Heroes: Legends of Samkok. Researchers at vpnMentor, under the leadership of Noam Rotem and Ran Locar, uncovered the insecure data via investigating EskyFun’s servers.
The insecure server has 134GB of over 365 million records, potentially exposing more than one million gamers to countless threat actor schemes. vpnMentor states in their research that the problems facing EskyFun are multifaceted, but most of it stems from how they collect data of their customers (i.e., people that play their mobile games). This problematic practice can be found in greater detail via the following excerpt:
The reason for the sheer size of the data exposed appears to be EskyFun’s aggressive and deeply troubling tracking, analytics, and permissions settings.
Most likely, most players have no idea just how much data and access they’re providing to EskyFun just from downloading one of the company’s games. In fact, it appears you don’t even need to start playing a game before it’s accessing your devices’ settings and networks... Due to this excessive tracking and access, EskyFun was harvesting vast amounts of data from players — most of it totally unnecessary for the games to function.
Once vpnMentor uncovered the unsecured server, they proceeded to contact the company to no avail. After a follow-up, which went ignored, vpnMentor then contacted Hong Kong CERT, after which the patch occurred. According to the following quote, however, it is not clear who was responsible for securing the data:
Hong Kong CERT was rapid and proactive in its response, seeking additional information to take appropriate measures. However, at this point, the database was secured, and the breach had been closed.
As we never heard back from EskyFun, we can’t confirm exactly when it fixed the vulnerability.
Whether you use EskyFun’s products or not, this incident is a lesson in consumer responsibility as much as it is a cautionary tale of corporate overreach. Consumers of any product, especially something that can track and collect data, must be certain of what they are getting themselves into.
Nobody can rely on tech companies to be entirely forthcoming in just how much they will invade your privacy. And with mobile apps, especially Android apps, there seems to be an inordinate number of problems. It is up to each individual to determine how many red flags they can excuse before deciding to use a product.
Featured image: EskyFunUSA