Video Game Security Bug Bounty Programs
Gaming platforms continue to prove a tempting target for cybercriminals, with the industry’s value estimated at $152 billion worldwide. and now video game developers ask white hats for help.
Last year’s Akamai State of the Internet report describes in detail how 12 billion credential stuffing attacks targeted players over a 17-month period.
To combat the growing threat, the game industry is increasingly turning to bug bounty programs as an additional layer of security. A bug bounty is similar to a pen testing engagement, except consultants are publically allowed to attack the organisation and are then awarded only for the vulnerabalities they submit (that get accepted).
Microsoft has recently launched a bug bounty program for Xbox, offering up to $20,000 for vulnerabilities such as Remote Code Execution (RCE).
But it’s not just players who are at risk. Last month, a US man pleaded guilty to breaking into several Nintendo servers to steal video games and other data.
Other game platforms and video game developers offering programs include InnoGames, Riot Games, Nintendo, FanDuel and Valve.
The HackerOne Report 2019 “Hacker-Powered Security Report” found that the media and entertainment industry, including the gaming industry, increased its bug bounty adoption by 7%.
2019 “Hacker-Powered Security Report” found that the media and entertainment industry, including the gaming industry, increased its bug bounty adoption by 7%.
The company followed Rockstar Games’ decision to make its bug bounty program public and invite hackers to test its platform for a wider range of vulnerabilities.
The sector paid an average of $3,510 for each critical vulnerability uncovered in 2019.
Attackers vs Big Time Leagues
Chris Boyd, senior analyst for malware intelligence at Malwarebytes, said the following: “Some of the biggest threats to games have not changed much over the years, but as in-game monetization and pay-to-win become more popular, players are always looking for offers, discounts and free in-game items.
“This is where scammers come in, offering fake tools, free games and downloadable content, but always serving up phishing and Trojans.
Such scams have become increasingly popular as the trend is encouraging in-app purchases to unlock new features or levels. For example, fourteen users are reported to have spent an average of $85 on in-game items.
The attackers are also on the hunt for game accounts containing rare or valuable items that can be traded on the Dark Web.
So what can gaming platforms do to protect their customers when social engineering attacks are out of reach?
The key is education, Boyd suggests, and making sure that players know how to spot a cheat – especially those posing as support staff.
Security within the Constantly Growing Industry
InnoGames’ security engineer, Kevin Heseler stated that large gaming companies such as Nintendo and
FanDuel should work with ethical hackers to provide a stronger and safer environment for players. He also said that a bounty would give an addd channel to get info on bugs thanks to the lookers that watch out for bugs. A good example is InnoGames.
With a divison in the game company that can track down attack vectors and patterns, it reduces the stress for the administrative staff thanks to a competitive team dedicated to cyber security.
Typical attacks include malware proliferation and distributed denial of service (DDoS) attacks as well as RCE and privilege escalation bugs.
Although many of these vulnerabilities are common to most gaming bug bounty programs, including the one recently introduced by Microsoft Xbox, users are still vulnerable to social engineering tactics such as phishing campaigns.
Steve Ragan, security researcher at Akamai, said that Microsoft has an aspect where its bug bounty programs includes information disclosure and other security features.
“This will be critical because when criminals] have to take over an account or target a player, they often have to bypass some of the stuff on the platform,” he said.
Ragan added: “But the other main area of attack for players is the social element, and this bug bounty won’t be able to solve that problem because it’s out of reach.The gaming industry is increasingly turning to security programs for bug bounty.