An Android Video Game With 1 Million Downloads Compromised Users’ Personal Information
Tap Busters: Bounty Hunters, a well-known mobile game, has exposed users’ confidential data.
In Google Play Store, Tap Busters: Bounty Hunters has been downloaded more than one million times and has a 4.5-star rating based on more than 45k reviews. In gameplay, players become bounty hunters looking to dominate the galaxy by defeating villains and gathering loot as they go through alien worlds.
Cybernews researched and discovered that Tap Busters: Bounty Hunters kept their database open for public access for at least five months, exposing users’ private conversations. In addition, sensitive data had been hardcoded into the client side, exposing it to further breaches.
The 349MB sized unprotected database includes usernames, user ids, timestamps, and private messages. The user’s private messages could have been permanently lost if the leaked data had not been backed up and a hacker had chosen to delete it. The developers left sensitive information hardcoded in the application’s client side along with an open Firebase instance. Here are the keys that were found:
- fir ebase_database_url
- gcm_defaultSenderId
- Google_app_id
- Google_storage_bucket
- Google_crash_reporting_api_key
- Default_web_client_id
- Google_api_key
Tilting Point, the game’s developer, owns multiple successful titles with a large user base. Some of these have racked up over five million downloads. Once they were notified of the data breach, they neglected to shut down public access to the database.
According to Cybernews, “The app developers did not reply to Cybernews questions about the duration of the instance’s public accessibility or the possibility that malicious actors might exploit hardcoded secrets, resulting in sensitive data breaches.”
