Video game developers turn to white hats for help

Video game bug bounties are protecting gamers and developers

ANALYSIS Gaming platforms continue to prove a tempting target for cybercriminals, with the industry valued at an estimated $152 billion globally.

Last year’s State of the Internet report from Akamai detailed how 12 billion credential stuffing attacks targeted gamers across a 17-month period.

However, it’s not just players that are at risk. Last month, a US man pleaded guilty to breaking into multiple Nintendo servers to steal video games and other data.

To help combat the growing threat, the gaming industry is increasingly adopting bug bounty programs as an added layer of security protection.

The latest gaming bug bounty programs

Microsoft recently launched a bug bounty program for Xbox, offering up to $20,000 for vulnerabilities such as remote code execution (RCE).

It followed RockstarGames’ decision to make its bug bounty program public, inviting hackers to test its platform for a wider range of vulnerabilities.

Other gaming platforms and video game developers that offer programs include InnoGames, Riot Games, Nintendo, FanDuel, and Valve.

HackerOne’s 2019 Hacker-Powered Security Report found that the media and entertainment industry, inclusive of the gaming industry, increased its bug bounty adoption by 7%.

The sector paid out an average of $3,510 for each critical vulnerability that was disclosed in 2019.

Security at the speed of gaming innovation

“Hacker-powered security is a given part of a mature and proactive security program – and it’s not hard to see why,” HackerOne senior security solutions engineer Jon Bottarini told The Daily Swig.

“For organizations like Nintendo and FanDuel, working with hackers allows them to provide security at the speed of gaming innovation.”

InnoGames security engineer Kevin Heseler added: “A public bug bounty gives InnoGames an additional channel for receiving information on bugs from many pairs of eyes.

“We can therefore identify new attack vectors and patterns and lower the administrative overhead for rewarding security researchers for bugs they find.”

Typical attacks include malware distribution and distributed denial-of-service (DDoS) assaults, as well as RCE and privilege escalation bugs.


Read more of the latest bug bounty news


While many of these vulnerabilities are in scope for most gaming bug bounty programs, including the one recently launched by Microsoft Xbox, users are still at risk from social engineering tactics such as phishing campaigns.

“There’s one aspect of the Microsoft bug bounty program that talks about information disclosure and security feature bypasses,” Steve Ragan, security researcher at Akamai, told The Daily Swig.

“This is going to be critical because a lot of times if they [criminals] need to take over an account or target a player, then they have to bypass some of the stuff on the platform.”

Ragan added: “But the other major attack surface for gamers is the social element, and this bug bounty is not going to be able to address that because it’s out of scope.”


The gaming industry is increasingly turning to security bug bounty programs

Pwn-to-win – Fresh opportunities for attackers

Chris Boyd, lead malware intelligence analyst at Malwarebytes, told The Daily Swig: “Some of the biggest gaming threats haven’t really changed too much over the years, but as in-game monetization and so-called ‘pay-to-win’ become more popular, so too are gamers always looking for deals, discounts, and free in-game items.

“This is where scammers come in offering fake tools, offering free games, downloadable content, but only ever serving up phishes and trojans.”

Such scams have become more popular in the wake of the trend that encourages in-app purchases to unlock new features or levels. Fortnite users, for example, were said to be spending an average of $85 on in-game items.


RELATED Cheats, hacks, and cyber-attacks: Esports cybercrime poised to soar


Attackers are also on the hunt for gaming accounts that contain rare or high-value items that can be traded on the dark web.

“There are a lot of games where you have in-game currencies or in-game items that can be sold or traded for real world currency,” said Ragan.

“Then you have the payment cards linked to accounts, so criminals can take over your account and drain your credit card or online funding account associated with it.”

Staying ahead of the game

So what can gaming platforms do to protect their customers if social engineering attacks are out of scope?

The key is education, suggests Boyd, and ensuring gamers know how to spot a scammer – especially those posing as support staff.

“It’s up to the system provider to provide easily accessible and understandable guides for players to keep their accounts safe,” suggests Boyd.

“[But] if they offer support on platforms outside their console ecosystem such as social media, they also need to let players know imitation support accounts exist which try to inject themselves into support conversations and direct gamers to phishing sites.”


YOU MIGHT ALSO LIKE Hack and slash: Cloud-based video games model opens up fresh security risks