Online Poker Rooms Fraught With Vulnerabilities
Contributed by: Email on 04/21/2013 05:27 AM
[
Comments
]
In the lucrative world of online gambling, many poker rooms especially those that rely on the user to download a client to play are marred by insecurities.
A recent study conducted by a pair of researchers suggests a number of online gaming companies whose poker clients rely on skins, arent adequately protecting their users while gaming online.
Skins, the customizable Web-based poker rooms that exist on companies websites, dictate what each gaming environment looks like and what protocols can be modified for each user.
According to a paper released on Wednesday, An Overview of Online Poker Security, (.PDF) a vulnerability in one software can affect multiple Skins and millions of players.
Penned by Luigi Auriemma and Donato Ferrante of ReVuln, a security and consultancy firm based on the tiny archipelago of Malta, the document highlights a number of flaws in poker applications.
Auriemma and Ferrante found the main problem with skins lies in the softwares updating infrastructure. The researchers found that the majority of poker client interfaces dont use SSL connections or digital signatures when they download updates; making it easy for an attacker to take control of a users system through compromised connections.
In some cases, some software updates were digitally signed but that didnt stop attackers from targeting the poker software.
Clients with skins developed by B3W, a gaming management system in Malta, were found updating over insecure HTTP, without signatures. On top of that the .EXEs, while signed, werent being verified before they were executed. Since the software auto-updates, attackers could easily infect the .EXEs before users update them.
An Overview of Online Poker SecurityIn addition, a series of stack-based buffer overflow attacks that could open the software up to malicious code execution could also be executed in a handful of other poker rooms, including those who use software by Microgaming, a company based on Isle of Man, an island between the UK and Ireland.
In most cases, the poker software analyzed by the researchers stores usernames and passwords automatically on the players computer, making the software more susceptible to password leaking. The researchers found that in some cases, once they gained access to the registry key or configuration file, they could steal and decrypt users passwords.
The paper does note that some companies like PokerStars have done a good job at security, opting to implement RSA tokens and PINs to bolster the security of its users and combat these problems.
Online gambling is already a multi-billion dollar industry but its poised to explode even more over the next five years. Juniper Research, a British-based analyst service projected last month that as a whole the global online gambling market is slated to reach $45 billion by 2017.
Auriemma has made a name for himself over the past two years or so in the vulnerability research world, mostly for his work digging up supervisory control and data acquisition software (SCADA) bugs. In addition to the ICS bugs, Auriemma and his ReVuln partner, Ferrante, a former RIM researcher have also found flaws in popular gaming platforms like Steam and EA Origin over the last year.
A recent study conducted by a pair of researchers suggests a number of online gaming companies whose poker clients rely on skins, arent adequately protecting their users while gaming online.
Skins, the customizable Web-based poker rooms that exist on companies websites, dictate what each gaming environment looks like and what protocols can be modified for each user.
According to a paper released on Wednesday, An Overview of Online Poker Security, (.PDF) a vulnerability in one software can affect multiple Skins and millions of players.
Penned by Luigi Auriemma and Donato Ferrante of ReVuln, a security and consultancy firm based on the tiny archipelago of Malta, the document highlights a number of flaws in poker applications.
Auriemma and Ferrante found the main problem with skins lies in the softwares updating infrastructure. The researchers found that the majority of poker client interfaces dont use SSL connections or digital signatures when they download updates; making it easy for an attacker to take control of a users system through compromised connections.
In some cases, some software updates were digitally signed but that didnt stop attackers from targeting the poker software.
Clients with skins developed by B3W, a gaming management system in Malta, were found updating over insecure HTTP, without signatures. On top of that the .EXEs, while signed, werent being verified before they were executed. Since the software auto-updates, attackers could easily infect the .EXEs before users update them.
An Overview of Online Poker SecurityIn addition, a series of stack-based buffer overflow attacks that could open the software up to malicious code execution could also be executed in a handful of other poker rooms, including those who use software by Microgaming, a company based on Isle of Man, an island between the UK and Ireland.
In most cases, the poker software analyzed by the researchers stores usernames and passwords automatically on the players computer, making the software more susceptible to password leaking. The researchers found that in some cases, once they gained access to the registry key or configuration file, they could steal and decrypt users passwords.
The paper does note that some companies like PokerStars have done a good job at security, opting to implement RSA tokens and PINs to bolster the security of its users and combat these problems.
Online gambling is already a multi-billion dollar industry but its poised to explode even more over the next five years. Juniper Research, a British-based analyst service projected last month that as a whole the global online gambling market is slated to reach $45 billion by 2017.
Auriemma has made a name for himself over the past two years or so in the vulnerability research world, mostly for his work digging up supervisory control and data acquisition software (SCADA) bugs. In addition to the ICS bugs, Auriemma and his ReVuln partner, Ferrante, a former RIM researcher have also found flaws in popular gaming platforms like Steam and EA Origin over the last year.
Comments
