A Study In Success: Testing MovieStarPlanet 2
12 August 2020
We consider ourselves lucky to be able to do work we're passionate about in an industry we love. For the entire Cyrex team, working with video games has been a lifelong ambition and seeing our cybersecurity and development skills succeed in making games and online spaces safer for players and developers alike is when we're at our most fulfilled in what we do. We take pride in every gaming project we work on and every partnership we form, but every now and then one particular job comes along that really reminds us of how much we love doing what we do. When that happens, we just have to talk about it!
That example for us was our recent penetration testing project with indie mobile games developer MovieStarPlanet on their upcoming game MovieStarPlanet 2. It can be rare sometimes to find developers that take gaming security systems as seriously as we do - this is only logical, considering security is exactly what we do! Without a strong background in security, it can be so easy to forget how essential strong systems and code are in protecting players, profits, continuity, and IP. MovieStarPlanet are one such developer that don't shy away from facing security head-on and that made them a joy to work with from day one.
MovieStarPlanet have been releasing engaging, social mobile games for young audiences for over ten years. Their roster of games includes the self-titled MovieStarPlanet, a fashion, chat, and social media game for teens and older children, and BlockStarPlanet, a multiplayer online worldbuilding sandbox game where players craft their own worlds and visit other players to share creative ideas.
Their games have registered over 400 million downloads to date and regularly clock up over 8 million monthly users. With such a large amount of regular gamers playing their games, and with so many players being of a younger demographic, MovieStarPlanet put a huge emphasis on strong security systems to ensure their audience is always safe and protected.
Working On MovieStarPlanet 2
Our work with MovieStarPlanet began as their newest title, MovieStarPlanet 2, was nearing the end of its development cycle. As a developer with over a decade of experience in games development, and therefore coding security systems, MovieStarPlanet were confident in the general infrastructure of their new application but, cautious and thorough as they are, sought our help to run an independent check on the game's overall security welfare.
As developers ourselves, we have a native familiarity with how games are built and coded. And having built countless applications in-house both for ourselves and for clients, we are well aware of how overexposure to a particular code or project can make even the best developers blind to potential errors. We believe firmly in the value of a fresh pair of eyes and how an external observer can often pick up something easily overlooked by those toiling over it day in day out.We were fortunate to come along towards the close of the initial development process which allowed us a complete overview of the game and its infrastructure as it was intended to be released. While it is sometimes advisable to introduce an in-house security team from the very start of the development process, it can be far more cost effective to have a professional team perform a full audit once development is complete. MovieStarPlanet had the foresight to realise potential issues, however unlikely, were possible and take proactive action to actively seek them out.
What We Found
After an intensive two-week active penetration testing cycle, our pair-hacking teams found a total of 38 potential security issues in MovieStarPlanet 2 - 16 of which MovieStarPlanet deemed as 'critical'.
Among the issues found were:
- Business logic flaws
- Access control flaws
- Session management issues
- HTML injection issues
- Denial of service threats
- Open redirections
- Frame injection points
Having found these flaws in adequate time before open beta began, MovieStarPlanet - with the help of Cyrex - were able to solve all issues in a matter of weeks.
What MovieStarPlanet Have To Say
“Discovering these issues early has probably saved us a ton of dollars and headaches fighting hackers and corrupted data. We were really impressed by the skills Cyrex proved to hold. We hire people to create stuff and creators don't necessarily have that "criminal mind-set" that Cyrex clearly do. We will continue to work with Cyrex in the future, simply because it's a good business case with a great ROI. ” - Caspar Strandbygaard, CTO