14 DAY TRIAL // A bug has been found in the League of Legends store that allows a user to access content straight from the web browser, without having to authenticate.
Normally, getting to the game’s store can be done straight from the game client and the user has to be logged in to complete any transaction. But the current vulnerability permits reaching the area from the web browser, relying on the Summoner ID of the target.
Riot learned quickly about the problem and started to solve it
A victim of such an attack could lose the IP (Influence Points) accumulated during gameplay and the RP (Riot Points), which are gathered by spending money. They can be used to improve the game through added benefits, such as unlocking new champions with different abilities.
The Riot public API can be used to search for a Summoner name in order to retrieve the ID necessary to enter the game store via the web browser. Some users employ the string for both the summoner and the username, which would make it easier to find their ID through the API.
A representative of Riot Games, the game maker, posting under the alias Riot_Hawknet, addressed the issue on Reddit saying in an initial message that he could not disclose any details about the exploit but that the matter was on its way to getting fixed.
No Riot Point or Influence Point losses incurred by the gamers
“When dealing with exploits like this, we generally don't discuss technical details to avoid giving away any unnecessary information to folks that would take advantage,” the representative said.
He also added that Riot had the means to find out who fell victim to such an attack and informed that all RP/IP that was lost as a result of the intrusion would be returned to their rightful owners.
Given that the store is also used to exchange cash for different game benefits, some feared that their payment information could somehow be learned by the attacker.
However, Hawknet assured everyone that this was not the case and that personal information like credit card numbers was not exposed.
In a later post on Reddit, the Riot representative informed League of Legends players that the developers found the problem and corrected it. No further details about the exploit, number of gamers affected or the attackers have been provided.