A string of hacks has revealed the existence of an exploit targeting League of Legends players, which allows the attackers to open up the game’s store from a web browser and initiate transactions paid with a user’s Riot Points (RP) and Influence Points (IP), two of the in-game currencies.
What the attacker has to know is the gamer’s ID and a session token. Here’s a demonstration of the exploit:
First flagged in a discussion on Reddit, the effectiveness of the exploit has been confirmed by a Riot Games spokesperson, who said that they are working on fixing it.
“We can’t speak to the specifics of the exploit or the explanations fellow Redditors have been offering. What we can say is that we can see everyone who was hit by an attack, and we’ll be returning all RP/IP that was lost,” the spokesperson explained, then made sure to note that this exploit didn’t expose any personal information like credit card numbers, and that this issue is not the same one that was identified and flagged two years ago.