Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Clash of Clans gamers at risk while using third-party app

An exposed database and secrets on a third-party app puts Clash of Clans players at risk of attacks from threat actors. The Cybernews research team has discovered that the Clash Base Designer Easy Copy app exposed its Firebase database and user-sensitive information. With 100,000 downloads on the Google Play store, the app enables Clash of […]

Clash of Clans

An exposed database and secrets on a third-party app puts Clash of Clans players at risk of attacks from threat actors.

The Cybernews research team has discovered that the Clash Base Designer Easy Copy app exposed its Firebase database and user-sensitive information.

With 100,000 downloads on the Google Play store, the app enables Clash of Clans players to build a custom base layout and import it into the game. Users use these layouts to protect their trophies or loot from others during fights.

Clash of Clans

The app was developed by Rioat Apps, a name that might be mistaken for the globally renowned Riot Games studio, which created games such as “Fortnite” and “League of Legends.”

The exposed database puts Clash of Clans players at risk. While the data available in the open Firebase instance is not too sensitive, if a threat actor deleted the data, it would impact the app’s user experiences.

Furthermore, the database exposed six secrets hardcoded into the manifest that, combined with other potential vulnerabilities, could give threat actors backdoor access for malicious injections.

An exposed URL for a Google storage bucket is worrying as it is a link to the system’s storage, which can store practically anything from text files to databases, backups, images, videos, or other sensitive information.

The case is a stark example of the risks of using third-party apps. A variety of third-party apps assist with in-game tasks for Clash of Clans, which could potentially have the same or more severe vulnerabilities.

Cybernews contacted Rioat Apps but has yet to receive a response. The Firebase is still publicly accessible.

More about Exposed secrets are available in the original post:

https://cybernews.com/security/clash-of-clans-third-party-app-leak/

About the author: Paulina Okunytė Journalist @ CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Meduza Stealer)