Researchers find vulnerabilities in online poker applications

A review of poker applications shows that many suffer security flaws, putting players at risk of attack, according to a Malta-based security company.

Luigi Auriemma and Donato Ferrante of ReVuln, which is a consultancy that does vulnerability research, focused their analysis on poker clients downloaded by players in order to game.

The software clients interact with so-called “skins,” or online poker rooms run on gaming companies’ websites. “A vulnerability in one software can affect multiple skins and millions of players,” they wrote.

Online poker differs from other types of online gambling since players must download the software client, which improves players’ experiences and provides real-time data over customized protocols.

“From an external attacker’s point of view, client software is interesting to analyze because it is the only part of the infrastructure which is fully available to an attacker,” Auriemma and Ferrante wrote.

Most of the online poker clients include a software update feature that is the first action performed when the applications are started. But the researchers found updates delivered without using Secure Sockets Layer (SSL) encryption or digital signatures. Even if an update is signed, they found it was still possible in some cases to take over control of a person’s computer.

Gaming software usually just requires a username and password to access an account, although some companies have moved to using two-factor authentication. The gaming company PokerStars does use RSA tokens and a PIN to increase security in its software clients, the researchers noted.

But other software programs allow gamers to save the password on their computer, although the way in which that is done may not prevent it from being leaked, they wrote.

An analysis of poker software developed by the company B3W Group in Malta found that it updates the software over an insecure HTTP connection. The updates are stored without digital signatures, and “.exe” files are not verified before they are installed, they wrote. The player’s password is also very simply obfuscated and can be obtained.

Software made by Microgaming, based on the Isle of Man, which is used in poker skins run by gaming companies including Unibet and Ladbrokes Poker, is vulnerable to a buffer overflow attack, Auriemma and Ferrante wrote.

Playtech, which supplies poker software used by Titan Poker, William Hill Poker and Bet365 Poker, does verify the digital signatures for dynamic link libraries and executable files, they wrote. But all of the other files it installs can be modified, which could allow an attacker to redirect a player to a malicious website. The software companies could not be immediately reached for comment.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk