A gaming plugin installed in over 200 million computers contains a critical flaw that enables attackers to steal user data directly from the websites they’re logged into, according to a security researcher. This affects websites which offer web mail as well as social media and networking accounts.

The plug-in in question

The plug-in, created by Unity technologies is used among hundreds of thousands of game designers and web developers to produce interactive 3D content and more commonly, to create online games. The flaw in the plug-in which is still in the process of being patched presently, is located within the Unity Web Player. This web player is installed within browsers to display and run content that’s based on Unity-based Web applications.

Developers and gaming companies are empowered to create 3D content through the popular Unity engine which works across various platforms. These include desktop, mobile and gaming platforms and frameworks. The Unity Web Player plugin is also located in all popular, main-stream browsers such as Chrome, Internet Explorer, Safari, Firefox and Opera. The technology and the gaming engine is a particular favorite among web developers due to its near universal compatibility over different domains. The technology is also endorsed by Facebook in a huge way, with a software development toolkit on offer for streamlining and integrating Unity-based games along with Facebook’s features.

According to numbers taken from Unity Technologies:

The Unity Web Player was installed on over 200 million computers, even as of March 2013.

The technology serves to and is used by over 700,000 active developers on a monthly basis.

Games that are based in the Unity Engine are used by over 600 million gamers around the world.

The flaw in the plug-in

A security researcher from Finland, Jouko Pynnönen claimed to find a means to bypass and circumvent the cross-domain policy in use by the plug-in. This was done in order to access websites with credentials (login and user data) of the browser used logged in.

Normally, the cross-domain policy is tasked to prevent a Unity-based web application that’s loaded on any domain (an online game on Facebook for example), from accessing data, content or resources from other websites. However, the Finnish researcher found an inherent vulnerability that could allow a malicious app or script to trick the Unity Web Player into allowing requests to be made toward other websites.

To put this to test, he created a Unity app, which when loaded by the browser’s plugin, accessed the browser user’s Gmail account when the user was in an active Gmail session. Furthermore, the malicious plugin was able to send the emails present in the inbox, back to the malicious hacker.

The same attack was possible against users logged in to access Facebook or any other website with login credentials, as long as the Unity Web Player was installed in the browser.

An immediate workaround as a fix for Chrome users would be an update of the browser. Starting with Chrome version 42, the browser no longer supports such plugins.