Leading online-poker network GGPoker has patched a vulnerability that theoretically could have been accessed to view opponents' hole cards at its online tables. The site acted rapidly after being notified of the vulnerability's existence by a security expert who plays on the network and who contributes occasional security-related pieces to Cardplayer Lifestyle.
Security wonk Eddie Harari uncovered the vulnerability within GGPoker's game play several weeks ago and notified the site of the issue, which GGPoker corrected within two weeks. The issue involved the unencrypted transmission of several types of user data, including user names, real player names, betting actions, and, of largest concern, hole-card data.
In acknowledging and fixing the vulnerability, GGPoker stated that while the problem existed and had been plugged, it was an "edge issue" with limited real-world applicability for a would-be online cheat. The issue had already been known inside GGPoker in general terms and GGPoker responded to Harari's disclosure by plugging the hole, via applying SSL layering to additional transmission protocols. Previously, GGPoker had eschewed applying SSL universally to its data-transmission processes, due to the negative impact on response times, especially for players with less than high-speed connectivity.
Once the issue had been discovered by an outsider, however, GGPoker was left with little choice but to add additional SSL protection. GGPoker also stated that it did not believe the vulnerability had ever been exploited by any would-be online cheaters. "Our security team, assisted by automated tools and alerts, monitors gameplay 24/7 and will raise alarms on any suspicious activity," the network told Cardplayer Lifestyle. "If such edge cases were to occur, we would have detected it and applied the patch to fix (which was ready to be shipped) the issue immediately."
One surprise led to others
As Harari detailed in his Cardplayer Lifestyle feature, he made several related vulnerability discoveries. Harari's research spanned several days and began when he decided to play a game of "What if?" regarding what he thought were GGPoker's fully-secure data transmissions. Harari set up a second computer to tap the streams of data being transferred between his computer and GGPoker's network servers.
Harari's first discovery was that the chat-stream data at GGPoker's tables included hexadecimal-coded, but unencrypted, data that identified not only a player's screen name, but his real name as well. Harari published a screen grab that showed him playing on GGPoker's 7XL skin, and when he typed in a test chat message, not only did his "The Hacker" screen name appear in the stream data, but so did his full real name (Ezra Eddie Harari).
Harari continued his probing into what other data might have been left unencrypted. He then examined the actual game-play data screens and identified what certain data meant. Harari soon discovered that if he was on the same network as another player, he could intercept that stream and launch what is technically known as a "man in the middle" (MITM) attack. In this situation, such an attack would allow the hacker to falsely transmit a message back to GGPoker's gaming servers that a player had taken certain betting actions, such as folding a hand. It's an example of the "edge issue" vulnerability as acknowledged by GGPoker, in that such a hijacking would have almost zero impact before being discovered by the victim or the site.
The same can't be said for Harari's next discovery, however, and that was of the unencrypted hole-card data, an example of which is shown in Harari's feature. Harari details how each card in the deck is assigned a two-digit code from 0 to 51, corresponding to each card in a standard deck. That knowledge, if tapped from a stream in a timely manner, could be implemented within a hole-card cheating scheme. Again, however, GGPoker's statement on the vulnerability's exposure asserts that no cheating exploiting the now-patched vulnerability is believed to have occurred.
A second poker-playing tech-security expert, Hank Nussbacher, examined and verified Harari's claims before the piece's publication by Cardplayer Lifestyle.
Recurring online-poker vulnerabilities
Harari's altruism in notifying GGPoker of the vulnerability likely helped save the network some future troubles. The story has some precedents and parallels as well, dating all the way back to poker's earliest days. The very first online-poker site, Planet Poker, once had a significant flaw exposed in a similar altruistic manner by Cigital, Inc., which discovered that Planet Poker didn't use a true RNG to randomize dealt cards but instead implemented a repeating and predictable deck. The disclosure still crippled Planet, however, and as its rivals launched and grew, the site was unable to recover and eventually folded.
A more recent instance involving unintended access to hole-card data occurred in 2013, when app-based open faced Chinese poker briefly became the rage among some of the game's most well-known players. Many of the game's participants downloaded what was a play-money game published by a Chinese software developer, then played for their own stakes and settled up debts separately. One of those players, Hall of Famer Barry Greenstein, suspected something was amiss after an extended of losses against a particular foe. Greenstein asked his nephew, an app developer and programmer, to look inside the OFC app, and the nephew soon discovered that the entire 13-card hand dealt to a player could be viewed before being turned up one at a time, as open-faced Chinese is played. Greenstein never named the other player, but the disclosure quickly chilled the app-based OFC action.
How those OFC players settled their debts was also a precursor to the club-based poker apps that spawned a thriving underground scene, first in Asia and later globally, that continues to this day. Not all such apps being used by players to gamble surreptitiously are secure, however. In 2020, the Poker Mavens app offered by Briggsoft Inc. was also reverse-engineered, and enterprising cheats briefly sold a hacking/translating cheat that showed, in real time, the cards being held by one's opponents at the tables.
