SEGA acknowledged allegations that certain Sonic games for Android smartphones and tablets are leaking data, with the Tokyo, Japan-based video game company confirming it’s investigating the matter. The supposed vulnerabilities were initially discovered by cybersecurity firm Pradeo who identified three games affected by them – Sonic the Hedgehog Classic, Sonic Dash, and Sonic Dash 2: Sonic Boom. The trio is said to collect geolocation data and device info, then sending it to uncertified servers. Out of three servers accepting the information that Pradeo says is likely being utilized for marketing purposes, two are used to host the Android/Inmobi.D advertisement library which is widely considered to be a security threat.
Pradeo identified two critical vulnerabilities in the process SEGA’s Sonic games use to send data to uncertified servers, both of which make intercepting such sensitive packets by malicious third parties a realistic possibility. A number of other security issues were also identified as part of the company’s probe into the three games, with Pradeo’s researchers saying the encryption used by the software isn’t as secure as it could be and certain vulnerabilities may not just lead to sensitive data ending up in the wrong hands but could also allow for denial of service attacks. Between 120 million and 600 million users could have had their data affected by the three games, based on the download estimates provided as part of their listings on the Google Play Store. Every Sonic game from SEGA has 15 vulnerabilities on average, according to the same research. None of the issues identified by the company appear to be affecting Sonic Runners Adventure, a new version of SEGA’s autorunner revised and published by Gameloft.
It’s presently unclear whether the vulnerabilities discovered by Pradeo are the responsibility of SEGA or one of its mobile advertising partners. In a statement provided to ZDNet, the company implied the latter scenario is more likely and didn’t outright confirm the security firm’s findings, having only said it’s presently in the process of verifying their accuracy. The research itself doesn’t claim tens or hundreds of millions of users had their data compromised but that the problematic Sonic games are allowing for such a scenario.