The game NaicaOnline gained some small momentum last year when it was in closed alpha and approaching open beta. My hobby is reverse engineering, particularly around games.
I do not do this maliciously, and always follow responsible disclosure practices.
During closed alpha, I found a number of vulnerabilities/exploits. Some were simply allowing gameplay advantages (duping items, generating infinite game currency), but the most important was one which allowed me to gain user account credentials. I disclosed these vulnerabilities to the developers in early October of 2020. All but one remain unpatched, the only one they fixed was a way to crash the game server.
Around the other vulns, the response I received from a dev was:
The game has now been completely abandoned by the devs, after having taking money for both in-game purchases and pre-launch backer sales. I do not care about this, I have no personal investment in the success of the game, however it is certainly shady. It particularly smells fishy, as the devs have announced they are working on a new game "based on Naica".
I wrote to MassivelyOP about the issue, you can find their article here.
Due to the devs doing nothing to secure the information and credentials of their playerbase, I took to their Discord to alert users to the fact that they should change their Naica account passwords and ensure that those passwords are not re-used elsewhere. I have been met with suppression from their moderation team, who consistently delete these posts.
I would like to clarify that I have never made the method public, and will not do so as I do not believe it would force their hand in securing their game. They have already abandoned it.
I am writing this post in hope that I can get the word out before the Naica user credentials become a part of (yet another) sizable data breach.
Again, I will not disclose the method for breaching account creds, but I will demonstrate a currency exploit which remains unpatched to hopefully reinforce the legitimacy of my statements (which were already verified by MassivelyOP).
Please, spread the word. The vulnerability must be fixed and these devs should never, EVER be allowed publicity or support for their future game(s). At minimum, all users who registered for Naica should change their passwords immediately and ensure these same passwords are not used for any other accounts anywhere on the internet.
Source: Original link
© Post "NaicaOnline – Poor Security, Worse Business Practices" for game Gaming News.
Top 10 Most Anticipated Video Games of 2020
2020 will have something to satisfy classic and modern gamers alike. To be eligible for the list, the game must be confirmed for 2020, or there should be good reason to expect its release in that year. Therefore, upcoming games with a mere announcement and no discernible release date will not be included.
Top 15 NEW Games of 2020 [FIRST HALF]
2020 has a ton to look forward to...in the video gaming world. Here are fifteen games we're looking forward to in the first half of 2020.