Days after a report on online security was published, one gaming company, Malta-based B3W Group, said it will implement a fix within a week.
The security flaw was first revealed in a report from vulnerability research company, ReVuln, and centred on how online poker games which use offline apps, fail to connect using Secure Sockets Layer (SSL). This exposes the data passed between servers to the risk of interception.
B3W is a specialist in gambling software, which includes the development of online poker rooms, also known as skins, for a variety of poker games including Stud, Omaha and Texas Hold’em.
According to the report’s authors, Luigi Auriemma and Donato Ferrante, an analysis of B3W’s poker software shows that software updates occur over an insecure HTTP connection. Furthermore, these updates don’t have digital signatures and contain unverified ‘.exe’ files which are installed on the user’s computers. The user’s password is also very simply obscured and not difficult to reveal.
“Software updates are very important for this kind of software. All Poker software must adhere to certain standards, and include an auto-update feature which is the ﬁrst action performed by the software launcher,” warns the report. “This mechanism can be used by attackers to inject malicious updates on the player’s system, while the software is performing the update operation. For example, this can be achieved with insecure public connections, compromised connections, or malware.”
In an email to IDG News, B3W director of strategy, AJ Thomson, said that none of its service has been hacked in 12 years of operating online, but that the company takes “our clients’ security extremely seriously”.
Thomson explained that one of the problems with fixing the security flaw in its software is that B3W uses a content delivery network from Fileburst which doesn’t match the digitally-signed security of the software.
“We have therefore decided to move all client updating to our own data centres over SSL using a signed certificate trusted by the poker client code,” he wrote.
However, B3W isn’t the only gaming company named in the report. Microgaming, which bills itself as the world’s largest provider of online gaming software, and Playtech, which runs the iPoker poker platform, is also said to have problems.
The report says that both Microgaming and Playtech have bad signed update systems and weak password protections. Specifically, Microgaming is said to be vulnerable to a buffer overflow attack, while Playtech stores insecure files which could allow an attacker to redirect a player to a malicious website.
Neither of those companies have made a statement about their security flaws.
Online poker players are particularly vulnerable to threats from hackers, as their accounts can often hold up to thousands of dollars.
In September last year, Naked Security reported that an online poker player, with the handle _MicahJ_ had over $115,000 in poker winnings emptied out of his account by malicious software over three days.
And in 2011, hacker Ashley Mitchell, 29, received two years in jail for stealing $12m worth of online poker chips from the gaming site Zynga.