June 5, 2015 by

Gaming Plug-In Leaves Millions of PCs Vulnerable

A gaming plugin installed in over 200 million computers contains a critical flaw that enables attackers to steal user data directly from the websites they’re logged into, according to a security researcher. This affects websites which offer web mail as well as social media and networking accounts.

The plug-in in question

The plug-in, created by Unity technologies is used among hundreds of thousands of game designers and web developers to produce interactive 3D content and more commonly, to create online games. The flaw in the plug-in which is still in the process of being patched presently, is located within the Unity Web Player. This web player is installed within browsers to display and run content that’s based on Unity-based Web applications.

Developers and gaming companies are empowered to create 3D content through the popular Unity engine which works across various platforms. These include desktop, mobile and gaming platforms and frameworks. The Unity Web Player plugin is also located in all popular, main-stream browsers such as Chrome, Internet Explorer, Safari, Firefox and Opera. The technology and the gaming engine is a particular favorite among web developers due to its near universal compatibility over different domains. The technology is also endorsed by Facebook in a huge way, with a software development toolkit on offer for streamlining and integrating Unity-based games along with Facebook’s features.

According to numbers taken from Unity Technologies:

  • The Unity Web Player was installed on over 200 million computers, even as of March 2013.
  • The technology serves to and is used by over 700,000 active developers on a monthly basis.
  • Games that are based in the Unity Engine are used by over 600 million gamers around the world.

The flaw in the plug-in

A security researcher from Finland, Jouko Pynnönen claimed to find a means to bypass and circumvent the cross-domain policy in use by the plug-in. This was done in order to access websites with credentials (login and user data) of the browser used logged in.

Normally, the cross-domain policy is tasked to prevent a Unity-based web application that’s loaded on any domain (an online game on Facebook for example), from accessing data, content or resources from other websites. However, the Finnish researcher found an inherent vulnerability that could allow a malicious app or script to trick the Unity Web Player into allowing requests to be made toward other websites.

To put this to test, he created a Unity app, which when loaded by the browser’s plugin, accessed the browser user’s Gmail account when the user was in an active Gmail session. Furthermore, the malicious plugin was able to send the emails present in the inbox, back to the malicious hacker.

The same attack was possible against users logged in to access Facebook or any other website with login credentials, as long as the Unity Web Player was installed in the browser.

An immediate workaround as a fix for Chrome users would be an update of the browser. Starting with Chrome version 42, the browser no longer supports such plugins.


About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Popular Freeware Site Download.com Found Hosting Bitcoin Stealing Malware

A dangerous bitcoin stealing malware that swaps user accounts with that of the attacker was...

Read more arrow_forward

Microsoft Sees Cryptocurrency Miners as an ‘Increasing Threat’

Software giant Microsoft has labelled malicious cryptocurrency miners as an increasing threat as...

Read more arrow_forward

Robots are Now Vulnerable to Ransomware Attacks

Security researchers have put the spotlight on malware affecting humanoid robots with the first...

Read more arrow_forward