Revuln reveal online poker software vulnerabilities

revuln-online-poker-vulnerabilityClient-side software is the achilles heel of online poker security, according to digital security consultancy Revuln. The Revuln team did some probing of online poker network software, including Playtech’s iPoker, MPN (Microgaming) and Malta-based B3W, looking for tiny digital signs saying ‘hack me’. Revuln singles out client-side software as the weakest link in all networks’ security chain because it’s “the only part of the infrastructure which is fully available to an [external] attacker.”

In an overview of their findings (read it or watch a short video), Revuln point to the lack of SSL connections during updates as the most common cause of malicious injection. So stop updating your software at Starbucks, already. Inadequate password storage is also hacker catnip, and Revuln believes unique encryption keys are a far better solution than mere obfuscation. Revuln holds up two-factor authentication such as PokerStars’ use of RSA tokens and a PIN as the way to go.

B3W was taken to the woodshed first, its update mechanism criticized for its insecure HTTP connection and lack of digital signatures. Executable (EXE) files are digitally signed but not verified before execution and B3W’s password obfuscation can be undone with an algorithm. Microgaming’s use of digital signatures during updates is rendered moot by a buffer-overflow in its password decoding function, which provides a warm, moist spot for hackers to plant their executable seed.

Playtech’s iPoker doesn’t use a secure HTTP connection for its updates, but does verify all signatures on EXE and dynamic link library (DLL) files. However, other files are left unprotected, and there are unsigned EXEs and DLLs in the widgetbar folder, like blank checks on which hackers can write ‘malicious code’ in the memo section.

Revuln itself is not without controversy. The Malta-based startup, co-founded by security researchers Luigi Auriemma and Donato Ferrante, sells the results of its software analysis to government agencies and private customers, yet doesn’t necessarily inform the software companies themselves as to their products’ vulnerabilities. Digital rights advocates are critical of this business model because of what Revuln’s customers might do with the knowledge they acquire.

Auriemma has dismissed such concerns, describing Revuln’s target as “mainly the defensive security providing information only to selected companies and governments.” Nevertheless, ThreatPost quoted Auriemma saying Revuln’s plan is “to not adopt the responsible disclosure except those cases in which there is no market or we prefer to see the bugs fixed.”

UPDATE: We received the following response from B3W regarding Revuln’s findings:

We take our clients security extremely seriously and are fortunate enough to have dedicated resources to investigate and rectify anything that is brought to our attention. We have never, in twelve years of operating online, had any client report of his/her account being compromised in relation to our platforms.

In an investigatory meeting with our senior developers, security and network engineers we believe that the root cause of the problem outlined by the ReVuln report surrounds the insecure client update process. The current ‘Industry Standard’ for distributing Poker clients is through the use of CDN’s such as Limelight Networks or in our case FileBurst. Implementing secure connections over these CDN’s is possible but as the signed certificate would not match our server certificates this is not an option for us. We have therefore decided to move all client updating to our own data centres over SSL using a signed certificate trusted by the Poker client code. Once an attacker is unable to alter the update system to use their own supplied files 90% of the report’s findings are eliminated including:-

Automatic execution of the downloaded EXE – Once the definition file is delivered from a secure connection the enclosed cryptographic hash of the download can be trusted.

Directory traversal – Again, once the defined locations can be trusted the directory traversal will have no adverse effect.

Stack-based buffer overflow – There was a stack overflow that has been fixed and the introduction of the trusted definition file negates this risk.

The Insecure password storage issue is one that we have not yet decided upon. Every saved password on a clients machine that does not utilize a key ring is by nature insecure and can only be obfuscated. The reason for storage of the password is one of player convenience and to introduce a password to access the password would defeat the purpose. We do have a build of the client which does not allow the saving of the password and we are considering the introduction of this to the core client build. I will update you shortly if we choose this route.

The conclusion of our findings are that by introducing secure delivery of the update and definition files together with adding hash verification prior to execution will remove any attackers ability to hijack the connection with a view to injecting malicious code.

We are now in the process of implementing all of the solutions that I mention above and will be releasing all changes within the coming week. We are fortunate that the design of the poker client give us the immediate ability to alter both the location and protocol for the update files and move them to our own servers over secure connections.

Once again, I would like to thank you for bringing this to our attention and very much hope that our work to rectify these issues immediately shows that both B3W and the Gaming Industry in general are both sensitive and quickly reactive to any potential security flaws that may be exposed.

AJ Thompson
Director of Strategy