Roblox, the ultra-popular free-to-play video game among children and teenagers, is accused of putting the data of more than 100 million players at risk. According to a CyberNews investigation, the game's Android app is riddled with security vulnerabilities. These breaches could be exploited by hackers to collect players' personal information.
In an investigation published on April 28, 2021, CyberNews, a famous media dedicated to computer security, openly accuses Roblox of neglecting the protection of the data of its users. The outlet claims to have found many entry points for hackers in the game's Android app code, which has more than 100 million installs on the Play Store.
The investigation uncovered "poor security practices", "outdated algorithms", and a vulnerability threatening Android smartphones running on versions ranging from Android Kit Kat 4.4 to Android Marshmallow 6.0. Ultimately, 7,5% of phones in circulation are affected. Exploiting an old fault called Janus, hackers can collect the list of Android applications installed on a smartphone and remotely download fake versions (full of fraudulent and intrusive advertisements) to replace them. A dangerous malware called Agent Smith actively exploits this flaw to generate advertising revenue.
Roblox assures that player data is not at risk
These various security issues are compounded by the use of “a local database to store player data”. All these factors make Roblox a target for malicious individuals looking for easy money. The game allows players to buy and sell virtual items and earn money by creating content. By exploiting the flaws, a hacker could theoretically seek to seize funds stored on Roblox's local database.
Also read: TikTok is accused of collecting data from millions of children
In a press release sent to several media, Roblox quickly stepped up to deny the researchers' conclusions. “We take all reports seriously and immediately investigated when researchers first approached us in March. Our investigation has determined that there is no correlation between these claims and the actual risk to user data privacy. One claim was inaccurate and the other three were for inactive code not used on the Roblox platform. Anyway, we have removed inactive code as part of our commitment to the safety and security of our users” reassures Roblox.
Source : CyberNews