Mobile game with 10m+ downloads spills source code, endangers user data

Attackers shared the data allegedly taken from the creators of Escalators, a game from Supersonic Studios LTD. Cybernews researchers believe the breach could impact user data.

The source code of Escalators, a mobile game available on Google Play Store and Apple’s App Store, was allegedly posted on several popular hacker forums.

The threat actor posted a dataset of nearly 600 MB of likely stolen information. Source code leaks pose a significant security threat to developers as their intellectual property can be exposed.

Source code reveals can also allow attackers to peer into security threats of apps and develop tailor-made exploits for later use.

Escalators breach
Leak announcement. Image by Cybernews.

According to the Cybernews research team, the leaked information includes Firebase URL and its key. Firebase is a mobile application development platform primarily used for data storage.

With Firebase URL and key at hand, attackers could access private user data kept on the Firebase database, potentially resulting in data theft or manipulation.

The leak includes Google and Apple in-app payment Application Programming Interface (API) keys. While the API keys are obfuscated, the team found instructions to deobfuscate the data.

In-app payment keys allow the processing of in-app purchases and, coupled with access to the game‘s source code, the information could enable attackers to make in-game purchases without developers‘ permission. That could lead to financial losses for the company and fraud.

In-app payment API keys could also grant attackers the means to read order IDs, anonymized user IDs, and purchase tokens. The latter is used to prove users are entitled to products they buy within the app.

The files in the exposed dataset were extracted in early November 2022.

We have reached out to Escalators’ publisher Supersonic Studios, and the game’s developers but did not receive an immediate reply.

Escalators are a relatively popular game with over 10 million downloads on the Play Store and tens of thousands of ratings on the App Store. The game’s publisher, Supersonic Studios LTD, is a mobile game publisher and studio headquartered in Tel Aviv.

More from Cybernews:

Feeling love-bombed? It might be a romance scam

Russian hackers disrupt NATO’s aid campaign in Turkey and Syria

CrowdStrike deploys Trojan Horse in Super Bowl ad

Hackers target Valentino, Michael Kors, and Creed fashionistas

DotGov or DotMil only: White House pushes US agencies to use official domains

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked