Jouko Pynnönen, a security researcher from Finland, has uncovered a security flaw within the Unity Web Player plug-in that could make hundreds of millions of gamers vulnerable to having their data stolen from any website they happen to logged into at the time, including webmail and social media accounts.
The Unity Web Player plug-in is designed to allow browsers to display and run game content in web applications; a popular choice, thanks to its flexible compatibility across domains, and is even endorsed by Facebook, which has its own software development kit for Unity-based games within the social networking site.
According to Unity Technologies, over 200 million people have Unity Web Player installed on their computers, and is used by over 700,000 active developers on a monthly basis, leaving a huge chunk of the world’s population at risk of having their details stolen.
Pynnönen built a Unity app to test the plug-in’s integrity. When the app was loaded up by the plug-in, it could access the Gmail account that was open in the browser, and was even able to forward e-mails to another account through the plug-in.
Thankfully, Chrome users running version 42 of the browser are protected from the vulnerability. Users of other browsers are advised to either use Chrome version 42 or uninstall the Unity Web Player until the problem is patched.
Thank you Lifars for providing us with this information.
Image courtesy of PC World.
A great many thanks for posting this bulletin as well as the source reference!
There is another article that explains all this with examples to understand, and includes a link to actually test the vulnerability in your own browser too.
Link: http://www.securityweek.com/flaw-unity-web-player-allows-theft-personal-data-researcher
After understanding this situation as a Unity game player who only has 1 browser game using that plugin, and for which that game has a well established user base, I will consider myself safe but will now second guess any other Unity browser game I might want to try out. Oh, the game is question is Ballistic distributed by Rumble Entertainment via Kongregate website.
Keep Calm and Stay Safe!™