Lock Poker casino software exposing players’ usernames and passwords

lock-poker-security-flawNews broke Sunday of a serious security flaw at Lock Poker that enables customers’ usernames and passwords to be visible in plain text to anyone who accesses the site’s Flash casino software. The upshot is that all the info necessary for anyone to access a user’s sensitive account data was readily available via the user’s browser history and cache. The same info was also stored unencrypted on Lock’s system, meaning Lock employees would have had UB-style access to customer data. The alarming breach in security was revealed on the 2+2 online poker forums by a poster using the handle ‘Deafeye’, who described his or her findings thusly:

After you log into locks casino, right click and hit view source (on the non-flash part). You will be shocked to see your password in plain text inside the source. No encoding, no encryption, just plain text. It also means they store your password in plain text for anyone on the lock team to see.

Even more alarming, Deafeye claims to have informed Lock of the danger this flaw posed to their customers “back in June of ’11.” At the time, Deafeye was told Lock would “get right on it.” As nothing appeared to have been done since that time to fix the breach, Deafeye decided to go public. Some time after the thread was created, Lock Poker room manager ‘LockRizen’ posted the following in the Lock Poker forum on 2+2:

RTG (the casino side) pushed an update that broke our encryption, we have since pushed a software update out that fixes this. When it was originally reported (what OP in original thread is referring to) we fixed it and then when this new update was pushed it broke it again. We have taken steps to ensure that future updates won’t cause this to happen again. No one should be seeing it anymore, and if for some reason someone does please let me know about it ASAP so I can have the appropriate people look at it.

Lock has been something of a security train wreck in the past year, having endured a scandal last August involving one of their Lock Pros, José ‘Girah’ Macedo. Among other transgressions, Macedo was discovered to have been the beneficiary of a $100k chip-dump that allowed him to claim the Bluff/Lock Poker Challenge title. As with this latest scandal, it was alert players who caught Macedo’s cheating, not Lock. In fact, Lock Poker boss Jennifer Larson claimed Lock had performed an audit just after the Challenge that somehow failed to discover evidence of the blatant chip-dump, although they eventually cut Macedo loose when it became clear that their attempts to dodge the issue weren’t working.