Menu
KrASIA
News

Vulnerability exposes 10 million transactions at Indonesia’s largest mobile games payment processor Unipin

Written by Georg Ackermann and Yin Lin Tan Published on 

Share
Unipin confirmed the vulnerability, which included usernames, purchase amounts, and email addresses.

A data vulnerability at Unipin, one of the largest payment processors for mobile games in Southeast Asia, briefly exposed roughly 10 million user transaction records from gamers, which included usernames, purchase amounts, and email addresses.

When reached for comment, Unipin confirmed the vulnerability from July 3. However, KrASIA was able to verify its existence from at least as early as July 1. The vulnerability allowed anyone to access data—which did not include sensitive information such as real names, log in, or bank account information—by simply entering a compromised URL address.

KrASIA gained access to the vulnerability on July 1.

“We found a bug that resulted in the accession of a small amount of successful transaction data, such as players’ character names. However, we can ensure that crucial data, for example, customer’s passwords, banking information, or other sensitive data that might jeopardize our user’s privacy, remain safely controlled in the UniPin system,” the spokesperson told KrASIA in the email. “There’s no user’s sensitive data are [sic] being disclosed.”

Garena and NetEase (HKG: 9999), two gaming companies that use Unipin as payment processing partner, declined to comment.

kr asia community

The leak is reminiscent of recent news involving Indonesian e-commerce unicorns Tokopedia and Bukalapak. In those cases, similar transaction records were leaked, then sold online. Taken together, usernames, transaction amounts, and email addresses can be valuable for hackers for reselling to competitors or, more seriously, for social engineering.

Unipin’s vulnerability raises questions about the protections in place at payment processors, who—amid the boom in online gaming—sit on mountains of user data.

“The vulnerability at Unipin becomes an example that the information and data security is a global problem, not only in Southeast Asia,” said Sam Ardi, a cybersecurity expert, who was shown a video of the vulnerability by KrASIA. “Security is not only an issue for young users but also the adult generation. Many people haven’t aware of information and data security, especially related to their accounts.”

According to web analytics portal Similarweb, more than 3 million people visited Unipin in May 2020. The platform collects payments on its website for popular mobile games such as Garena’s Free Fire, Moonton’s Mobile Legends, NetEase’s Rules of Survival, VNG’s King of Fighters, Zlongame’s Dragon Raja, and Tencent’s PUBG Mobile.

Unipin operates in Singapore, Indonesia, the Philippines, Malaysia, Thailand, and India.

Share

You might like these

  • News

    Google faces antitrust scrutiny in Asia after US lawsuit

    By 

    Nikkei Asia

    22 Oct 2020    04:14 AM

KrASIA InsightsKrASIA Insights

  • Uable engages children from age six to 12 in role-playing projects, where the kids imagine themselves as astronauts, detectives, or scientists to solve problems.

    Insights

    Uable cultivates life skills in Indian schoolchildren

    By Avanish Tiwary

    26 Oct 202001:05 AM

Most PopularMost Popular

See All