Rockstar Games Social Club credentials are accessible via memory reading concludes a computer security researcher that has tipped Rockstar Informer. The credentials are easily accessible by any process running on the victims computer, including soon-to-come mods that are injected into the game via dll loaders and trainers that run externally.
The credentials appear to be stored unencrypted, in plain text, meaning that once a harmful process has obtained the credentials it can be sent off to a remote server after which the author could alter the credentials for personal gain, Rockstar Games Social Club does not require e-mail verification for password changes.
It remains to be seen whether Rockstar Games will patch this vulnerability in a timely fashion. Until then PC gamers will need to be extremely cautious of utilizing trainers, tools and mods for the title.
The credentials appear to be stored unencrypted, in plain text, meaning that once a harmful process has obtained the credentials it can be sent off to a remote server after which the author could alter the credentials for personal gain, Rockstar Games Social Club does not require e-mail verification for password changes.
"This type of security is disastrous for any game utilizing online capabilities. Social Club is used in both the retail and the Steam version of the game to verify ownership. If the credentials are found by others it could be severely exploited. We have seen reports of consumers that claim their credentials have already been stolen, though we have no idea if this vulnerability is related to that." the security researcher explains.In the past few days numerous websites have reported on stolen Social Club credentials. Some even report that Rockstar Games telephone support hangs up on customers that have lost their account, as per procedure from higher management.
Rockstar Games has updated their official support hub earlier this morning. In a statement the developer says they are aware of security related issues from "unaffiliated, compromised websites or databases elsewhere on the internet". "As a result, the ability to change email addresses for Social Club accounts has been temporarily disabled." the developer explains.
"As of writing, Social Club does not require additional e-mail verification when changing your credentials, this means that once your credentials have been sniffed it is very easy for the perpetrator to change them. All of this can be easily fixed by either encrypting the credentials before storing them, or by storing a hash instead, after authenticating with Social Club servers."
It remains to be seen whether Rockstar Games will patch this vulnerability in a timely fashion. Until then PC gamers will need to be extremely cautious of utilizing trainers, tools and mods for the title.