At least 200 million computers have been exposed to potential attacks amid the discovery of a flaw within the Unity plug-in used for gaming.
The plug-in flaw was found by a researcher based in Finland and accordingly it allows the bad actors to scrape off a user’s confidential data while he or she is logged in to a website, including email like Gmail and Yahoo Mail, and social media accounts like Facebook and Twitter.
Here’s why the impact of this vulnerability needs to be taken seriously. A great deal of developers, some hundreds of thousands of them, are relying on the Unity plug-in to create online games, meaning that there is a great chance that most of the games you have grown fond of playing use this kind of plug-in. This gaming tool is installed in browsers for you to be able to gain access to the Web-based apps and games.
Developers are also able to develop three-dimensional content that is compatible with various mobile devices and computer platforms, browsers and gaming consoles. So this vulnerability is not only affecting PCs but other platforms as well.
In fact, there are more than 700,000 monthly active developers who are using the plug-in to develop games for more than 600 million users all over the world. Those figures are enough to trigger the alarm over this vulnerability.
The plug-in implements a cross-domain policy that allows access to other websites for an active user. It is designed to actually block a Unity application from gaining access to tools from other websites. Recently, the Finnish researcher found a way to get past this policy, a vulnerability that enables malicious apps to grant access to third-party websites without the user’s knowledge.
For example, your Gmail account can be accessed if you are in an active session with the email service and your data will be transmitted furtively to the third-party prying eyes. The same thing can happen with your Facebook account, for instance, if have the Unity Web Player installed in your system.
Some browsers could prevent the plugin from starting automatically without permission. Others could allow it. Luckily for users of Chrome version 42, the attack does not work. Vulnerable browsers appear to be plagued by the use of the old Netscape Plugin Application Programming Interface which could allow the plug-in to run automatically.
Until the findings went public, Unity had not heeded the researcher’s call for a patch to the flaw. A fix is in the works, according to Unity.
