BetVictor, Global Poker shamed by digital security cockups


BETVICTOR-security-failOnline gambling operators BetVictor and Global Poker are wearing digital egg on their faces after unnecessarily exposing sensitive data.

On Wednesday, a post appeared on detailing a major security cockup in which the Gibraltar-based, UK-licensed BetVictor was found to have left a raft of sensitive info, including administrative logins and passwords, accessible by any visitor who entered the right criteria into the site’s search function.

The blog post’s author Chris Hogben noted that he hadn’t attempted to verify whether the administrative info was current to avoid falling afoul of hacking laws. After sending an email to BetVictor’s admins detailing the apparent security own goal, the site closed off public access to the sensitive data pages.

A different researcher, who was reportedly able to duplicate Hogben’s access to the data in question before BetVictor rejigged its site, told Motherboard that the data included “extensive combinations of usernames and passwords.”

BetVictor has yet to comment on whether the exposed data may have allowed anyone to access its customers’ personal info, saying only that it was still investigating the situation with its third-party suppliers. But Hogben noted that the password list included a reference to consumer credit reporting agency Experian, which BetVictor may have employed to verify its customer data.

Last week, a post appeared in poker forum TwoPlusTwo in which Zikzak, a customer of US-facing online operator Global Poker, accused the site of exposing his bank statement on a public website.

Zikzak claimed to have received a customer satisfaction survey that included the file name of a bank statement with a direct link to the statement on a non-password protected website. Other forum posters confirmed that they could access the bank statement from the link sent to them by Zikzak without being logged into his Zendesk customer service account.

A Global Poker rep later posted that the site had “added an additional security measure which means players will need to log in to their account each time they access a unique URL string. This provides an additional layer of protection to players who either accidentally or intentionally share their unique URL string with others.”

But as other posters noted, the so-called ‘security through obscurity’ strategy that Global Poker had apparently relied on until the new security measure was introduced is considered ineffective if bots unleash a brute-force attack.

It may or may not be related, but Global Poker announced Tuesday that it would cease offering PayPal as a payment option effective June 30. A company rep claimed the site was confident of being able to provide “a greater array of alternative options shortly.”