- Potential attack could inject malicious EXE files and compromise accounts, researchers claim.
- User passwords discovered to be stored with weak encryption on personal computers.
- Update procedures were shown to be over insecure connections, downloading unsigned binaries.
Many downloadable poker clients suffer security flaws, including issues in user password storage and software update procedures, claims a report from a Malta-based security research firm.
“A vulnerability in one software can affect multiple skins and millions of players,” Researchers Luigi Auriemma and Donato Ferrante of ReVuln wrote in a report released late last week.
Potential security weaknesses were discovered with iPoker, Microgaming and B3W (Poker Pack Network) software.
One common flaw was how username and passwords used to access poker clients were stored on users’ computers.
“The stored password is often just obfuscated or encrypted with fixed keys,” the researchers wrote. “Access to registry keys or the configuration file (even remote access is possible using directory traversal vulnerabilities in other software) allows attackers to steal stored passwords easily.”
The researchers noted that some sites, including PokerStars and PartyPoker, adopted more stringent password policies.
“Client software is interesting to analyze because it is the only part of the infrastructure which is fully available to an attacker,” the report states. “In fact, the software is deployed on the end-user systems, and without performing any unauthorized access to the server-side infrastructure, the security of these solutions can be analyzed. Serious client software issues include unauthorized access to players’ accounts.”
The most common problem, the report claims, stems from failing to use SSL connections when running updates. In a video summary of how a downloaded poker client could be attacked, ReVuln showed an automatic update, with the update server controlled by an attacker. Both Microgaming and iPoker were identified as not digitally signing software updates, which could allow for a theoretical injection of malicious executables.