Not sure how this affects the rest of Merge, as I haven't looked into it further.

Lock poker is tightly integrated with their casino. A while back that was the only way to deposit for non-visa card holders in the US.

After you log into locks casino, right click and hit view source (on the non-flash part). You will be shocked to see your password in plain text inside the source. No encoding, no encryption, just plain text. It also means they store your password in plain text for anyone on the lock team to see.

I informed them about this back in June of '11. The response was they'd get right on it. Nothing has been done. I figured enough time had passed for me to put them on blast.

Kind of worrying

Pretty ridiculous, is this a Lock thing and not a Merge thing?

playing on Merge is a gamble in itself.

Sigh we know and have heard this a million times but for many it's a gamble worth taking, i.e they can and have withdrawn more then they ever put into it. This doesn't mean that security issues should be overlooked, etc because "well it's post BF, you deserve what happens etc etc"

Had a friend try this and he was able to see his password.

Could somebody copy + paste the part of the source with your password? (Remove your actual password, obviously.)

var flashvars = {
user : 'myusername',
sPassword : 'mypassword',
token : '',
encrypted : 'false',
forReal : (forMoney) ? 'true' : 'false',
IP : myIP,
portBase : '0',
returnURL : '',
casinoName : 'Lock Casino',
errorURL : '',
useLegacySystem: 0,
gameid: gameObj.gameID,
machid: gameObj.machID,
handcount: gameObj.hands,
denom: 25,
showVersion: 'false'
};

Mod edit: removed user's screen name and IP address. Everything else looks ok.

God damn idiots at lock I swear. Luckily I have my casino disabled.

It's clear that their entire casino is built using Flash/Actionscript... really old school way to do web programming.

I'd wager a bet their casino games could be decompiled, hacked, and altered to change the edge in your favor (or perhaps just autowin) as well, but I'm a nub with actionscript.

Irrelevant. You suffer from the same poor architecture as everyone else, unfortunately

As an American player post-BF, I'm not surprised but it probably won't affect me playing there. Merge/Lock is easily the best option available for U.S. players, which is sad in itself.

I really hope that we get Pokerstars back someday.

well if somebody did that it would at least make them change security lol.

Not really, my casino doesn't even exist.

This doesn't seem good.

hey op, hope you don't mind but i cross posted this to the official lock forum where Rizen and Shane post. might make something happen. either way i'm peacing on the skin, just thought this would be more effective there.

[ ] understands the storage concerns

If you're trolling, gj, but seriously, turning off the casino doesn't fix the fact that they have major underlying issues in their architecture.

Don't mean to be a dick, but I do architect large systems, including authentication, for a living. I don't want somebody minimizing the concerns because of something they don't understand.

By all means make as much noise as possible. They've had over 10 months to fix this on the down low.

I know Lock is still offering some affiliate deals and that other skins have dialed in somewhat but at this point they've pretty much proven to be one of, if not the #1 shadiest Merge skin to be playing on.

If you are on Merge, the little bit of extra value you get by playing on Lock has to be negated by the fact that they've turned a blind eye to quite a few major shenanigans.

In this environment its certainly buyer beware! Why go with the one that raises the most flags?

As a reminder (or new info for those unaware), Lock is also the site that had Girah as a pro, and DQed him after he won a Lock challenge but has never been upfront about what they knew or when.

Girah won the challenge via a chip dump from DogIsHead, which even a blind chimpanzee should have been able to see during even a minimal audit.

Greed?

Is this issue the same across all Merge skins?

I tried it on RPM but I banned myself from the casino.

Don't have an account with any others, but it looks like no.

Fixing this will take money, most likely YOUR money

Glad Ive not created an account on Merge

Not even trolling. I literally can't login to the casino, I understand it's a problem for everyone, but my casino doesn't exist exist and there is no way for me to view the source code.