In the lucrative world of online gambling, many poker rooms – especially those that rely on the user to download a client to play – are marred by insecurities.
A recent study conducted by a pair of researchers suggests a number of online gaming companies whose poker clients rely on “skins,” aren’t adequately protecting their users while gaming online.
“Skins,” the customizable Web-based poker rooms that exist on companies’ websites, dictate what each gaming environment looks like and what protocols can be modified for each user.
According to a paper released on Wednesday, “An Overview of Online Poker Security,” (.PDF) “a vulnerability in one software can affect multiple Skins and millions of players.”
Penned by Luigi Auriemma and Donato Ferrante of ReVuln, a security and consultancy firm based on the tiny archipelago of Malta, the document highlights a number of flaws in poker applications.
Auriemma and Ferrante found the main problem with “skins” lies in the software’s updating infrastructure. The researchers found that the majority of poker client interfaces don’t use SSL connections or digital signatures when they download updates; making it easy for an attacker to take control of a user’s system through compromised connections.
In some cases, some software updates were digitally signed but that didn’t stop attackers from targeting the poker software.
Clients with skins developed by B3W, a gaming management system in Malta, were found updating over insecure HTTP, without signatures. On top of that the .EXEs, while signed, weren’t being verified before they were executed. Since the software auto-updates, attackers could easily infect the .EXEs before users update them.
In addition, a series of stack-based buffer overflow attacks that could open the software up to malicious code execution could also be executed in a handful of other poker rooms, including those who use software by Microgaming, a company based on Isle of Man, an island between the UK and Ireland.
In most cases, the poker software analyzed by the researchers stores usernames and passwords automatically on the player’s computer, making the software more susceptible to password leaking. The researchers found that in some cases, once they gained access to the registry key or configuration file, they could steal and decrypt users’ passwords.
The paper does note that some companies like PokerStars have done a good job at security, opting to implement RSA tokens and PINs to bolster the security of its users and combat these problems.
Online gambling is already a multi-billion dollar industry but it’s poised to explode even more over the next five years. Juniper Research, a British-based analyst service projected last month that as a whole the global online gambling market is slated to reach $45 billion by 2017.
Auriemma has made a name for himself over the past two years or so in the vulnerability research world, mostly for his work digging up supervisory control and data acquisition software (SCADA) bugs. In addition to the ICS bugs, Auriemma and his ReVuln partner, Ferrante, a former RIM researcher have also found flaws in popular gaming platforms like Steam and EA Origin over the last year.
