The Progress Data of 1,00,000 Players Was Exposed by the RPG Guidus
Guidus, a popular mobile role-playing game (RPG), leaks information about its users’ game progress.
Cybernews researched and discovered that the sensitive data had been hardcoded into the Guidus app, exposing it to data leaks. There are over 100k downloads of Guidus on the Google Play App store. It is a famous pixel RPG game for mobile devices. Over 16k reviewers have given this app a rating of 4.2 out of 5. The game requires the player to fight their way through dungeons to reclaim the palace and rescue the true heir to the kingdom.
The game had a good reputation and appeared to be a legitimate application, but now it has been confirmed that millions of users’ game progress data have been leaked. “The app spilled information about users’ game progress, including anonymized tokens used by gamers as ‘in-game’ curries and as digital markers to track progress. If the data leaked had not been backed up and a malicious actor had chosen to delete it, it is possible that the user’s progress in the game would have been permanently lost without the possibility of recovery,” said Cybernews.
“Hardcoding sensitive data into the client side of an Android app is a bad idea, in most cases, it can be easily accessed through reverse engineering,” they added. The hackers might be able to access even more sensitive data about the player if they can access those keys.
Here are the keys found hardcoded into the client side of the app:
- firebase_database_url, gcm_defaultSenderId
- default_web_client_id, google_api_key
- google_app_id
- google_crash_reporting_api_key
- google_storage_bucket
According to Cybernews, over 33,000 Android apps were analyzed earlier this year and the most sensitive hardcoded secrets left exposed were API keys used to authorize projects, Firebase dataset links, and Google Storage buckets.
Business, lifestyle, health and fitness, tools, and education are the top five app categories that contain the most hardcoded personal data.
