ANOVERVIEW OF
ONLINE POKER SECURITY
Luigi Auriemma1and Donato Ferrante2
ReVuln
http://revuln.com
info@revuln.com
http://twitter.com/revuln
10 April 2013
Abstract Security research conducted against a set of online poker solu-
tions, highlighting the current status of this lucrative industry.
1 INTRODUCTION
Online Gaming (also known as Online Gambling and iGaming)3is a successfully
growing market, and Online Poker4is its main sector with millions of players all
around the world betting with real money.
Online gaming is a 30 billion US dollar market5, and is highly regulated by
gaming authorities of various countries in order to protect consumers, companies
and its governments by making it transparent and secure. The main objectives of
the gaming authorities are:
Protecting players’ rights
Promoting responsible gaming
Monitoring licensed companies
Deciding the minimal level of security that must be adopted
Collecting taxes on behalf of the governments
Companies that violate the rules, or don’t take appropriate measures for the
security of their systems, may have their license revoked, and in some cases become
sanctioned by the gaming authorities. This means each component of the online
gaming network, client and server side, must be secure.
2 ABOUT THIS RESEARCH
This paper provides a cursory overview of iGaming, and Client Poker Software se-
curity. Also, security vulnerabilities and design issues affecting some of the most
widely used software on the market will be disclosed.
1http://twitter.com/luigi_auriemma
2http://twitter.com/dntbug
3http://en.wikipedia.org/wiki/Online_gambling
4http://en.wikipedia.org/wiki/Online_poker
5http://www.forbes.com/sites/afontevecchia/2012/12/06/
can-online-poker-save-zynga-417b-global-gambling-market-throws-pincus-a-risky-lifeline/
ReVuln - http://revuln.com page 1 of 9
Online gaming companies and players should be aware of potential security
issues in the products they provide and use respectively. The security issues and
information disclosed in this document covers only part of the attack surface for
Online Poker systems.
Software systems from different companies in various countries were examined,
and in this paper we detail three case studies. Some features beyond the scope of
the paper were not tested. Several details of the issues and proof-of-concept have
not been included in this document.
3 THE AUTHORITIES
There are various authorities and commissions that regulate iGaming in a given
country or a set of countries, depending on the license. A full list of these au-
thorities6is available on the International Association of Gaming Regulators (IAGR)
website.
4 THE COMPANIES
The large iGaming market consists of many companies which provide one or more
services for the infrastructure7available to the end user. Companies can provide:
The client and server side software
The network8
Web games for online casino
Additional technology
Websites9, called Skins and Poker Rooms, which are accessed by the players.
Large operators such as PokerStars10 will cover all of the above, and even spon-
sor real poker events and tournaments for professional players11 12. It is quite
common to have an online gaming company that provides the software and the
gaming network.
5 THE SKINS
Understanding the role of Skins is important because a vulnerability in one soft-
ware can affect multiple Skins and millions of players. Players are mistaken to
believe Skins provide the entire infrastructure for the website. Skins also create the
interface and software customization for the players.
6http://www.iagr.org/members/
7http://www.pokerscout.com/IndustryOverview.aspx
8http://www.pokerscout.com/PokerNetworks.aspx
9http://en.wikipedia.org/wiki/Category:Gambling_websites
10http://www.pokerstars.com
11http://www.pokerstars.com/wcoop/
12http://www.pokerstars.com/poker/tournaments/
ReVuln - http://revuln.com page 2 of 9
6 THE CLIENT SOFTWARE
One of the differences between online poker and the rest of the iGaming products is
that it relies on client-side software, which runs directly on the player’s computer13.
The client software is used to improve the players experience and granting them
real-time data over customized protocols adopted by the Poker network.
Additionally the client software allows players to customize the interface, and
the software functions the same way across different platforms (Windows, MacOS
and Linux).
From an external attacker’s point of view, Client Software is interesting to ana-
lyze because it is the only part of the infrastructure which is fully available to an
attacker. In fact, the software is deployed on the end-user systems, and without
performing any unauthorized access to the server-side infrastructure, the security
of these solutions can be analyzed. Serious client software issues include unautho-
rized access to players’ accounts.
7 ATTACK SURFACE
The following sections describe the portion of the attack surface that was covered
for this paper.
7.1 UPDATES
Software updates are very important for this kind of software. All Poker software
must adhere to certain standards, and include an auto-update feature which is the
first action performed by the software launcher. This mechanism can be used by
attackers to inject malicious updates on the player’s system, while the software is
performing the update operation. For example, this can be achieved with insecure
public connections14, compromised connections15, or malware.
Usually the main cause of malicious injection while performing an update is the
lack of SSL connections or lack of digital signatures. Even if an update is signed,
it’s still possible to take control over a victim’s system, as demonstrated by one of
the vulnerabilities found in a particular Client Software that uses digital signatures.
The same consideration above also applies to the installer. The main task of the
installer is to download additional content from the Internet. It doesn’t matter if
the original setup.exe was correctly downloaded over an HTTPS connection from a
trusted website because all of the remaining content downloaded by the installer
from the internet, over HTTP, can be hijacked.
7.2 WAYS USED TO STORE PASSWORDS AND/OR ENCRYPTING FILES
The player’s username and password is usually the only obstacle that keeps an at-
tacker away from a player’s account.
All Poker software allows the password to be automatically saved on the player’s
computer. Insecure implementation of this functionality may not be secure enough
13http://www.pokerscout.com/PokerNetworks.aspx
14Like public Wi-Fi networks, LAN/WAN networks of a company
15For example private Wi-Fi with weak passwords guessed by an attacker, compromised DNS servers
ReVuln - http://revuln.com page 3 of 9
to prevent password leaking. The stored password is often just obfuscated or en-
crypted with fixed keys. Access to registry keys or the configuration file (even
remote access is possible using directory traversal vulnerabilities in other software)
allows attackers to steal stored passwords easily. It’s not easy to grant access to the
network without effectively storing the password, but there are various levels of
password security. For example, there is a difference between obfuscating a pass-
word and encrypting it with an unique key that identifies the computer.
Some companies like PokerStars have adopted RSA tokens16 and PIN17 to in-
crease the security of the authentication mechanism for their Client Software.
7.3 OTHERS
There are many other possibilities to perform attacks against the software. See the
following sections for examples.
8 ISSUES
A number of different security issues were found, and some of them are described in
the following sections. A proof-of-concept video18 for some of the issues is available
on our Vimeo channel19.
8.1 DEP /ASLR /DIGITAL SIGNED EXECUTABLE
The following table gives an overview about DEP,ASLR and Digital Signed Exe-
cutable for the tested solutions:
EXE DLLs
Software ASLR DEP Digital signed ASLR DEP Digital signed
B3W no no yes - - -
Microgaming yes yes no no no no
Playtech yes yes yes no yes no
8.2 BAD UPDATE SYSTEM AND WEAK PASSWORD PROTECTION IN B3W
The client software developed by B3W20 is used in many Skins21 such as Yachting
Poker and PKRaise.
The update mechanism is performed over an insecure HTTP connection to
b3w.fileburstcdn.net where the list of updates and the files are stored without sig-
natures and the EXEs (which are digitally signed) are not verified before their exe-
cution. In this situation at least three types of issues were identified:
Injecting of malicious EXEs, which are executed immediately by the software
for auto-updating itself:
"c:\path\tmp_executable.exe" "c:\path\executable.exe" update
16http://www.pokerstars.com/poker/room/features/security/rsa-token/
17http://www.pokerstars.com/poker/room/features/security/pin/
18http://vimeo.com/63855488
19http://vimeo.com/revuln
20http://www.b3wgroup.com
21http://www.b3wgroup.com/clients/
ReVuln - http://revuln.com page 4 of 9
Figure 1: Yachting Poker launcher in action
Directory traversal that allows any files where the software is installed to be
created or overwritten.
Stack based buffer-overflow while copying the newly generated update link
containing the filename provided by the attacker:
_mbscpy(
stack_buffer ,
" http :// b3w . fi leb urs tcd n . ne t :80/ u pda tes _SK IN / aaa ... aaa "
);
Figure 2: Malicious code executed on the victim’s system
The password is stored in the %APPDATA%\SKIN_NAME\settings.ini file as last_password
and is simply obfuscated, and the following algorithm can be used to read it:
len = hex2 byt e ( pa ssword ) ;
x = passwo rd [0];
for (i = 0; i < ( len - 1) ; i ++) {
pas sword [i ] = p ass word [i + 1] ^ x ;
x = pass wor d [i ] + i ;
}
pas sw or d [i] = 0;
ReVuln - http://revuln.com page 5 of 9
8.3 BAD SIGNED UPDATE SYSTEM AND WEAK PASSWORD PROTECTION IN
MICROGAMING
The Microgaming22 software is available on various important and well known
Skins like Unibet23 and Ladbrokes Poker24.
Figure 3: Microgaming
This software is also an interesting example of a signed update system made in-
effective by the exploiting of a security vulnerability. The digital signature available
at the end of the main update list file which is verified by the software, is stored
as a base64 string. The problem is that the function that decodes the password
doesn’t verify the length of the output stack buffer resulting in a buffer-overflow
that may be used to execute malicious code.
The password stored in the registry key:
HKEY_CURRENT_USER\Software\MGS\Thumper\Casino\SKIN_NAME\key is encrypted
using the same mechanism adopted also for some of the files in the software folder:
SHA1 hash of one of the following keys (the fifth one for passwords)
1. "C75A7F71-797A-11d2-8255-00A02455A490"
2. "AE24F415-C51D-4aa2-9943-C1DD9EA33DFE"
3. "{D545EBD1-BD92-11CF-8772-00A0C9039735}"
4. "Cats know how we feel. They don’t care, but they know."
22http://www.microgaming.co.uk/
23http://www.unibet.com/poker
24http://poker.ladbrokes.com/en
ReVuln - http://revuln.com page 6 of 9
5. "BlindCaffineSubstituteFamousCurtainTrickKingTinHalcyonDaysArapaho"
6. "C75A7F70-797A-11d2-8255-00A02455A490"
Swapping of the 5 DWORDs composing the hash, although only 16 of the 20
bytes available will be used for the encryption
RC4(hash, 16, data, length)
8.4 UNSECURE UPDATE SYSTEM AND PASSWORD PROTECTION IN PLAYTECH
Playtech25 software and its iPoker network 26 are widely used by many Skins. The
most famous are Titan Poker27, William Hill Poker28 and Bet365 Poker29.
Figure 4: Playtech widgetbar injection
The software installation and the updates are handled all via HTTP, but the
signatures of the signed EXEs and DLLs to install are verified. This is good only
partially because all the other files (including HTML files) can be modified with-
out any problems. For example to exploit security vulnerabilities in the software
or redirecting the user on malicious websites. More interestingly is the presence
of EXEs and DLLs that are not digitally signed located in the widgetbar folder. An
attacker can use them to inject malicious code on the software.
The following is a perfect example of an update system implemented incor-
rectly. The password is automatically stored in the registry key:
HKEY_CURRENT_USER\Software\SKIN_NAME\password_new
A key is composed of the hash of the HDSLN value of Windows Genuine Ad-
vantage, plus three values of format, "%ld%ld%ld", are obtained via GetSystem-
Info, where the arguments of this function are dwProcessorType,wProcessorLevel
and wProcessorRevision.
Then the hexadecimal MD5 hash of the key and the first byte of the password
are used to XOR the encrypted keyword:
25http://www.playtech.com
26http://www.ipoker.com
27http://www.titanpoker.com
28http://poker.williamhill.com
29http://poker.bet365.com
ReVuln - http://revuln.com page 7 of 9
len = hex2 byt e ( pa ssword ) ;
x = p asswo rd [0];
for (i = 0; i < ( len - 1) ; i ++) {
pas sw ord [i] = passwor d [i + 1] ^ h ex_hash [ i % 32] ^ x;
}
pas sw or d [i] = 0;
9 ADDITIONAL RESOURCES
The following examples weren’t part of this research but they are a personal work
of one of our researchers30 for his password recovery tools. The following content
can be used to get a better understanding of the algorithms used in the iGaming
software.
Cake Poker31 in the past obfuscated the password inside the registry to XOR
it with an incremental value derived from the CRC of the same password32
while now it’s saved in clear text inside the ".store" files of the CPN\SKIN_NAME
user’s folder.
Full Tilt Poker33 encrypts the password using XOR and a pseudo random
scheme with the initial seed calculated on an unique 16bit value of the system
in use34.
PartyPoker35 uses 3DES CBC with a fixed key and ivec36.
PokerStars37 adopts a particular system for the generation of the unique key
and uses DES CBC for the encryption38.
10 ABOUT REVULN
ReVuln39 is an international company providing various security services ranging
from penetration testing to consulting, from training to vulnerability research and,
last but not least, feeds regarding 0-days security vulnerabilities.
Additionally ReVuln is a Maltese company, and Malta is one of the most impor-
tant countries involved in iGaming40.
11 ACKNOWLEDGMENTS
We would like to thank our friend Salvatore Fresta41 for the additional overview of
the iGaming sector.
30http://aluigi.org
31http://cakepoker.com
32http://aluigi.org/pwdrec.htm#cakepokerpwd
33http://www.fulltiltpoker.com
34http://aluigi.org/pwdrec.htm#fulltiltpwd
35http://www.partypoker.com
36http://aluigi.org/pwdrec.htm#partypwd
37http://www.pokerstars.com
38http://aluigi.org/pwdrec.htm#pokerstarspwd
39http://revuln.com
40http://www.lga.org.mt
41http://salvatorefresta.net
ReVuln - http://revuln.com page 8 of 9
12 REVISION HISTORY
12 April 2013: Version 1.1 released.
10 April 2013: Version 1.0 released.
ReVuln - http://revuln.com page 9 of 9