6 THE CLIENT SOFTWARE
One of the differences between online poker and the rest of the iGaming products is
that it relies on client-side software, which runs directly on the player’s computer13.
The client software is used to improve the players experience and granting them
real-time data over customized protocols adopted by the Poker network.
Additionally the client software allows players to customize the interface, and
the software functions the same way across different platforms (Windows, MacOS
and Linux).
From an external attacker’s point of view, Client Software is interesting to ana-
lyze because it is the only part of the infrastructure which is fully available to an
attacker. In fact, the software is deployed on the end-user systems, and without
performing any unauthorized access to the server-side infrastructure, the security
of these solutions can be analyzed. Serious client software issues include unautho-
rized access to players’ accounts.
7 ATTACK SURFACE
The following sections describe the portion of the attack surface that was covered
for this paper.
7.1 UPDATES
Software updates are very important for this kind of software. All Poker software
must adhere to certain standards, and include an auto-update feature which is the
first action performed by the software launcher. This mechanism can be used by
attackers to inject malicious updates on the player’s system, while the software is
performing the update operation. For example, this can be achieved with insecure
public connections14, compromised connections15, or malware.
Usually the main cause of malicious injection while performing an update is the
lack of SSL connections or lack of digital signatures. Even if an update is signed,
it’s still possible to take control over a victim’s system, as demonstrated by one of
the vulnerabilities found in a particular Client Software that uses digital signatures.
The same consideration above also applies to the installer. The main task of the
installer is to download additional content from the Internet. It doesn’t matter if
the original setup.exe was correctly downloaded over an HTTPS connection from a
trusted website because all of the remaining content downloaded by the installer
from the internet, over HTTP, can be hijacked.
7.2 WAYS USED TO STORE PASSWORDS AND/OR ENCRYPTING FILES
The player’s username and password is usually the only obstacle that keeps an at-
tacker away from a player’s account.
All Poker software allows the password to be automatically saved on the player’s
computer. Insecure implementation of this functionality may not be secure enough
13http://www.pokerscout.com/PokerNetworks.aspx
14Like public Wi-Fi networks, LAN/WAN networks of a company
15For example private Wi-Fi with weak passwords guessed by an attacker, compromised DNS servers
ReVuln - http://revuln.com page 3 of 9