World of Warships Blitz, a popular mobile multiplayer game with over 10 million downloads on Google Play, exposed sensitive user credentials during login and registration, potentially enabling account hijacking via replay attacks.
The issue was discovered by Jamf Threat Labs during routine monitoring using the firm’s mobile threat detection system. The team found that both Android and iOS versions of the game were transmitting user authentication data to a specific domain without adequate encryption. This exposed a wide range of information, including:
- Obfuscated usernames and passwords
- Session cookies
- JWT tokens
- Device specifications
- IP addresses
Despite the use of obfuscation, Jamf notes that the protective measures were insufficient to prevent replay attacks. In such attacks, intercepted login data can be retransmitted by malicious actors to gain unauthorized access to a victim’s account. Since the game also leaks session cookies and other tokens in the same unencrypted requests, attackers wouldn’t need to decrypt or even understand the original credentials to succeed in taking over accounts.
World of Warships Blitz, developed by Wargaming, allows players to control historic naval vessels and progress through gameplay by earning or purchasing in-game resources. While the developer has several titles across platforms, Jamf confirmed this credential leak was unique to Blitz and did not affect Wargaming’s other titles.
According to Jamf, the vulnerability was disclosed responsibly to Wargaming in early August. The developer responded promptly and patched the flaw in version 8.4.0 of the game. The company was reportedly cooperative throughout the disclosure process, and no evidence has emerged of the vulnerability being actively exploited before the fix.
With unauthorized access, attackers could disrupt player progress, misuse virtual currency, or even extort players by threatening to sabotage their accounts. Although in-game funds cannot be transferred between accounts, items can be moved across servers under certain conditions, potentially giving attackers a pathway to misuse compromised accounts for value extraction.
Jamf‘s data shows that some users registered for the game using corporate email addresses, potentially exposing business identities to phishing or social engineering threats.
World of Warships Blitz players are advised to update their app to the latest version and reset their account credentials on the game, and also anywhere else they might be using the same username and password.
Leave a Reply