The most common understanding of ‘App Security Breaches’ is, stolen usernames & passwords, hijacked accounts & databases. These issues though are very common but security breach has a much deeper definition.
Let us consider a situation that was noticed in a well-liked MMORPG (Massively-Multiplayer Online Role Playing Game):
A techie (high-tech) player, while observing some of the game’s front-end coding in LUA (which is a very popular light-weight programming language that most major MMOs use to handle GUI, front-end interface and modules creation) discovered that the game sent character account updates through a JSON file to the server – and that this file was not secured, gated or checked for errors in any possible way. Using that file URL, his browser and some value-replacing, the player was able to bypass the game mechanics entirely and give himself unlimited game currency, levels and quite a bit more. And to add upon it, to make situation worse, this script could be used to alter any character by ID, not just your own.
What more disaster it was to realize that the issue was reportedly discovered and brought up by players and not the game staff or the developers.
As a remedy, the game had to be made offline and unavailable for the players on all servers for several hours of emergency maintenance, during which the resolution had to be prepared at the earliest.
Although we cannot compare it as a business downturn as compromised to a credit card info or shared passwords, yet it does compromise the reliability of the entire game world and economy. And of course, it harms the user’s perception of the game and its developers. MMO players are very strict and very disapproving of unexpected downtime, especially when the issue was an oversight in security such as in this scenario. They are very upfront about such disenchantment. Several sets of forums erupted in this security breach discussion, most of it very off-putting and negative about this issue and also the downtime of the game.
The loophole in this security could have been detected and fixed during testing with much ease and no chaos. The early detection would have eliminated the negative impact on brand loyalty and game quality before even anyone had a clue about it. It is but obvious that the issue was resolved but it is definitely not so easy to instill the faith of the players in the brand. There is no short cut to fix a battered brand reputation.
The article teaches us an important lesson about potential security weak points – it shall be found if at all there is. We need to devote some time, concentration and patience.
Image Credit thenextweb.com
