Clash of Clans gamers at risk while using third-party app

An exposed database and secrets on a third-party app puts Clash of Clans players at risk of attacks from threat actors.

The Cybernews research team has discovered that the Clash Base Designer Easy Copy app exposed its Firebase database and user-sensitive information.

With 100,000 downloads on the Google Play store, the app enables Clash of Clans players to build a custom base layout and import it into the game. Users use these layouts to protect their trophies or loot from others during fights.

The app was developed by Rioat Apps, a name that might be mistaken for the globally renowned Riot Games studio, which created games such as "Fortnite" and "League of Legends."

The exposed database puts Clash of Clans players at risk. While the data available in the open Firebase instance is not too sensitive, if a threat actor deleted the data, it would impact the app’s user experiences.

Furthermore, the database exposed six secrets hardcoded into the manifest that, combined with other potential vulnerabilities, could give threat actors backdoor access for malicious injections.

An exposed URL for a Google storage bucket is worrying as it is a link to the system’s storage, which can store practically anything from text files to databases, backups, images, videos, or other sensitive information.

The case is a stark example of the risks of using third-party apps. A variety of third-party apps assist with in-game tasks for Clash of Clans, which could potentially have the same or more severe vulnerabilities.

Cybernews contacted Rioat Apps but has yet to receive a response. The Firebase is still publicly accessible.

Exposed secrets:

  • Default_web_client_id: a unique public identifier dispatched for an application using Firebase oAuth.
  • gcm_defaultSenderId: a technical ID assigned by Google cloud when using gradle plugin.
  • Google_api_key: a string that is used to access specific google services.
  • Google_app_id: an id that is used coupled with google_api_key for identification of a Google app.
  • Google_crash_reporting_api_key: authorization for Google crash reports.
  • Google_storage_bucket: a URL for Google storage bucket storage system

More from Cybernews:

Streaming in 2024: more content, licenses, bundles, and ads

Amazon Prime Video to interrupt with ads unless paying $2.99/month extra

Twitter violated contract by failing to pay millions in bonuses, US judge rules

Fidelity National Financial attack exposes more than 1.3M subsidiary customers

Another blow to Rockstar Games after GTA V source code leaked

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked