Corporate Clash Security Incident Disclosure (April 9th, 2024)

Posted on by The Corporate Clash Crew

On April 4th, 2024, we were alerted to a security incident which may have led to some personal data being transmitted to an unauthorized 3rd party. 

Our servers have not been breached, and your emails/passwords have not been leaked. We have no reason to believe the leaked data were recorded or processed by the 3rd party, or that they are malicious to Corporate Clash players.

This blog post will cover what we know, our next steps, and what you should be aware of.

What We Know

(All times in this blog post are in UTC)

On April 4th at 23:30, we received an anonymous report of a security vulnerability on our website, https://corporateclash.net. One of the libraries we used on the website, Datadog RUM, was misconfigured and sent personal information to a 3rd party we don't control.

After our investigation, we have no reason to believe that malicious actors were in play, nor do we think critical personal data, such as emails and passwords, have been leaked as part of this incident. We also believe the 3rd party did not store and process the data transmitted to them, as they were a domain parking service with thousands of other parked domains, which was likely unaware of the vulnerability and were not targeting us specifically.

If you accessed our website between March 29th, 2024 and April 4th, 2024, you are likely affected. If you have not visited the site (e.g. you only logged into the game via our launcher) between these times, you are not affected. The data was transmitted from your browser to the unauthorized 3rd party.

Personal information that were transmitted to this 3rd party include:

  • A unique identifier generated by the Datadog RUM Library to uniquely identify browsing sessions; this is random, and is regenerated after 15 minutes of inactivity.
  • Your IP address
  • Your device brand, type, model
  • Your OS / Browser version
  • Your connectivity setup (e.g.  4G / 5G speeds, Wi-Fi / Wired)
  • Your geographical location, based on your IP address

(Note: When you visit any website on the internet, you transmit similar sets of personal information to the operator of the websites.)

How you interacted with our website (e.g. clicks and mouse movements) were also transmitted, but no personal information is contained within and sensitive input is stripped in your browser before transmission.

We are working on measures to prevent similar mistakes from happening again; we have updated the website to strengthen our security posture.

We have also decided to completely remove the Datadog RUM library, as we have no need for its features.

Under the legislation of North Carolina, where our non-profit is based, this incident is not considered a "data breach" and does not need to be reported, but we are choosing to voluntarily report this incident to both the authorities and all players via available means, as part of our commitment for user safety and transparency.

What You Should Be Aware Of

You do not need to do anything related to the incident.

Even though we have no reason to believe any uniquely-identifying personal data have been transmitted as part of the incident, ensuring you are up-to-date on the latest cybersecurity practices is always a good idea. Here are some advice on how to stay secure online:

  • Use a strong password, or better yet, use a Password Manager to create unique passwords for each site you sign up to. We recommend Bitwarden and 1Password as your password manager.
  • Don't use the same password across multiple websites. Using a password manager can help you with this.
  • Use Multi-Factor authentication for sites that support it. We recommend Authy for this purpose.
    • While we currently do not support MFA apps such as Authy, make sure to have ToonStep enabled for your account, which will cause the system to send a verification email whenever you log into the website or the game from a new location.
  • Do not share accounts. Sharing accounts increase your chances of your account details being leaked.
  • Only install software from reputable sources, such as the App Store of your operating system.
  • Keep your operating system and software up-to-date, and avoid using end-of-life software.
  • Do not click on links or open attachments from senders you don't recognize, or if the content of the message seems suspicious. If it is too good to be true, it likely is.

Closing and Acknowledgements

We would like to sincerely apologize for the incident. We take user trust very seriously, and in this instance, we failed to uphold the trust that players like you have bestowed upon us. We will take in the lessons learned in this incident and make Corporate Clash a safe environment for all.

If you would like to help improve the security at Corporate Clash, we are recruiting TechOps Engineers to join our volunteer team. If you spot a security vulnerability, you can report it to us by emailing security@corporateclash.net. 

FAQs

1. What happened?

There was a security incident related to the Corporate Clash website. Due to a configuration error, the website was transmitting personal data to an unauthorized third party.

2. Who is affected?

Anybody who has visited our website between 29th March, 2024 and 4th April, 2024 are affected. if you have not visited the website during this time (e.g. if you only logged into the game via the launcher), you are not affected.

3. What kind of personal data was transmitted?

Personal information that were transmitted to this 3rd party include:

  • A unique identifier generated by the Datadog RUM Library to uniquely identify browsing sessions; this is random, and is regenerated after 15 minutes of inactivity.
  • Your IP address
  • Your device brand, type, model
  • Your OS / Browser version
  • Your connectivity setup (e.g. 2G / 3G / 4G / 5G, Wi-Fi / Wired)
  • Your geographical location, based on your IP address

(Note: When you visit any website on the internet, you transmit similar sets of personal information to the operator of the websites.)

How you interacted with our website (e.g. clicks and mouse movements) were also transmitted, but no personal information is contained within and sensitive input is stripped in your browser before transmission.

More information on exactly what was transmitted can be found here.

4. Was my email / password leaked?

No. No email or passwords have been leaked by this incident.

5. Was the incident malicious?

No. It is caused by a configuration mistake on our end, and we have no reason to believe the unauthorized 3rd party had malicious intent towards our players.

6. Do I need to do anything?

You do not need to do anything. Our investigations indicate that no critical personal information (e.g. emails / passwords) were transmitted to the unauthorized 3rd party. We do not collect other types of personal information such as names, gender or date of birth.

7. Why did it take 5 days for the incident to be disclosed?

In accordance with Responsible Disclosure policies, we reported the vulnerability to Datadog first so that they have a chance to assess and fix the issue. While we fixed the issue on our side straight away and started preparing communications, we had to wait for Datadog to respond to us first before taking any action.

Technical Details

The following section is made available for interested parties (such as players and security researchers) where we discuss the technical details of the vulnerability. Sheriff Cranky, Technical and Community Lead, has his own writeup of the incident which you can read here.

Datadog RUM is a service that allows us to understand how players use our website by recording mouse movements and clicks and constructing a re-enactment for us to spot anti-patterns and accessibility issues, as well as reporting application errors on our website. It was introduced in 2020 but we have not been leveraging its data as of 2024.

For the service to work, we bundle the @datadog/browser-rum  library into our site JavaScript code. We then configure the various parameters, including what data to log and where to send the data to. Different countries have different data retention / governance laws, so Datadog operates different instances (which they call "sites" - this will be important later on) around the globe, and the site URLs are well-known. When setting up Datadog RUM, operators need to specify the Datadog site they wish to send the data to; the library then takes the site  domain and prefixes it with browser-intake- (notice the hyphen) to form the final domain that the library will send the data to. Normally, the data should be sent to https://browser-intake-datadoghq.com, but a configuration error introduced on December 24th, 2023 caused the data to be sent to https://browser-intake-corporateclash.net instead, which is a domain we do not control.

This is the configuration that introduced the vulnerability:

datadogRum.init({
  applicationId: 'APP_ID,
  clientToken: 'CLIENT_ID',
  site: 'corporateclash.net', // <- pay attention to this line
  sessionSampleRate: 100,
  sessionReplaySampleRate: 100,
  trackResources: true,
  trackLongTasks: true,
  trackUserInteractions: true,
  version: "STUB_HASH",
  env: "production",
  service: "corporateclash.net",
});

Pay attention to line 4, which specifies a site  parameter. Normal operators may mistake site  means the site Datadog is monitoring, but it actually means the Datadog instance to send user data to. Here, there was a misconfiguration in which the site  variable was mistaken as the site the Datadog RUM data is about, and corporateclash.net  was put in instead. Even though the intake domains are well-defined and there are even constants in the library defining the list of legal intake domains, there were no checks in the Datadog library for arbitrary site  domains, and the library happily sent the data to browser-intake-corporateclash.net . This is a footgun that has the chance to create security vulnerabilities, and was the root cause of this incident.

This vulnerability has been reported to Datadog but they do not consider this as a security vulnerability. We continue to be in dialogue with Datadog.

There was another protection mechanism that could have stopped the data transmission but was found not to be in use at the time: Content Security Policy (CSP). Modern browsers implement this security measure, where sites can instruct the browser exactly which domains browsers can load resources from. By locking down the CSP to only allow browsers to make contact with trusted domains like browser-intake-datadoghq.com , requests to unauthorized sites such as browser-intake-corporateclash.net would have been blocked by the browser. We have rolled out a rudimentary set of policies to guard against similar mistakes, however due to the age of the website codebase, we were not able to apply all industry-recommended settings. We have been working on a new website for some time now, and will accelerate the progress in order to retire the current website more speedily.

We are on the lookout for talented web developers in the JS/TS/Node.js space; if this sounds interesting to you, please apply as a Web Developer.

Timeline (UTC)

2023-12-24: The misconfiguration was introduced into the codebase

2024-03-29: The domain browser-intake-corporateclash.net was registered by a domain parking company

2024-04-04 23:45: We were notified of the security vulnerability. Investigations began almost immediately

2024-04-04 23:55: We identified the root cause of the vulnerability 

2024-04-05 00:30: The fix to rectify the misconfiguration was released, and RUM data were being sent to the correct domain again

2024-04-05 00:40: We reported the issue to Datadog

2024-04-05 13:50: We made the decision to completely remove Datadog RUM from our website, and the changes for this were deployed

2024-04-08 21:20: Datadog replied to our email, and did not consider our report to be a security vulnerability