The hand replayer in the browser client of Minted Poker was revealing the hole cards of all players – even of those that folded before showdown.
John Morgan, Creative Commons Attribution 2.0 License

The hand replayer in the browser client of Minted Poker was revealing the hole cards of all players – even of those that folded before showdown.

The issue was posted publicly on 2+2 last Thursday at the same time that representatives of Minted Poker were informed. Later the same day, the replayer was taken offline. By Friday, it was back online with the issue fixed.

It is a common rule in poker that players can view all hands at showdown. You can request it in live poker, although the practice is generally frowned upon. At most online poker rooms, showdown hands are exposed in hand histories, with Boss Media and Bodog’s new client being two notable exceptions.

However, exposing hands folded before showdown is not usually permitted, as it provides too much information on player tendencies. Ironically, on the same day the issue on Everleaf was exposed, Bodog announced it would purposefully be allowing the same thing in a bid to combat collusion. Players will be able to request hand histories that show all player hole cards in a client update expected in early 2012.

It is unclear how long this issue has been live on Minted, and whether it affected all skins on the US-facing Everleaf Gaming network or localized to Minted’s flash client. The bug is very similar to an issue reported by players back in August, in which hole cards were exposed in text hand histories in the flash client. Minted representatives have stated that this bug was fixed, and this latest bug is a separate issue.

Critics point out that these “glitches” expose a much greater underlying security issue in the software: that the client (in this case, the flash implementation) is being sent sensitive information from the server that it should not be. As one poster wrote: “The first rule of client-server development: don’t trust the client. Don’t send it unnecessary secure data and don’t trust its input.”