- Potential attack could inject malicious EXE files and compromise accounts, researchers claim.
- User passwords discovered to be stored with weak encryption on personal computers.
- Update procedures were shown to be over insecure connections, downloading unsigned binaries.
Many downloadable poker clients suffer security flaws, including issues in user password storage and software update procedures, claims a report from a Malta-based security research firm.
“A vulnerability in one software can affect multiple skins and millions of players,” Researchers Luigi Auriemma and Donato Ferrante of ReVuln wrote in a report released late last week.
Potential security weaknesses were discovered with iPoker, Microgaming and B3W (Poker Pack Network) software.
One common flaw was how username and passwords used to access poker clients were stored on users’ computers.
“The stored password is often just obfuscated or encrypted with fixed keys,” the researchers wrote. “Access to registry keys or the configuration file (even remote access is possible using directory traversal vulnerabilities in other software) allows attackers to steal stored passwords easily.”
The researchers noted that some sites, including PokerStars and PartyPoker, adopted more stringent password policies.