Two Plus Two Poker Forums

Two Plus Two Poker Forums (https://forumserver.twoplustwo.com/)
-   Discussion of Poker Sites (https://forumserver.twoplustwo.com/28/discussion-poker-sites/)
-   -   Lock poker major security issue (https://forumserver.twoplustwo.com/28/discussion-poker-sites/lock-poker-major-security-issue-1178821/)

deafeye 03-11-2012 12:28 PM

Lock poker major security issue
 
Not sure how this affects the rest of Merge, as I haven't looked into it further.

Lock poker is tightly integrated with their casino. A while back that was the only way to deposit for non-visa card holders in the US.

After you log into locks casino, right click and hit view source (on the non-flash part). You will be shocked to see your password in plain text inside the source. No encoding, no encryption, just plain text. It also means they store your password in plain text for anyone on the lock team to see.

I informed them about this back in June of '11. The response was they'd get right on it. Nothing has been done. I figured enough time had passed for me to put them on blast.

barradri 03-11-2012 12:41 PM

Re: Lock poker major security issue
 
Kind of worrying

peterpjames 03-11-2012 01:01 PM

Re: Lock poker major security issue
 
Pretty ridiculous, is this a Lock thing and not a Merge thing?

bustuw72 03-11-2012 01:01 PM

Re: Lock poker major security issue
 
playing on Merge is a gamble in itself.

peterpjames 03-11-2012 01:02 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by bustuw72 (Post 31996450)
playing on Merge is a gamble in itself.

Sigh we know and have heard this a million times but for many it's a gamble worth taking, i.e they can and have withdrawn more then they ever put into it. This doesn't mean that security issues should be overlooked, etc because "well it's post BF, you deserve what happens etc etc"

IWEARGOGGLES 03-11-2012 01:38 PM

Re: Lock poker major security issue
 
Had a friend try this and he was able to see his password.

NoahSD 03-11-2012 01:48 PM

Re: Lock poker major security issue
 
Could somebody copy + paste the part of the source with your password? (Remove your actual password, obviously.)

deafeye 03-11-2012 01:59 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by NoahSD (Post 31997074)
Could somebody copy + paste the part of the source with your password? (Remove your actual password, obviously.)

var flashvars = {
user : 'myusername',
sPassword : 'mypassword',
token : '',
encrypted : 'false',
forReal : (forMoney) ? 'true' : 'false',
IP : myIP,
portBase : '0',
returnURL : '',
casinoName : 'Lock Casino',
errorURL : '',
useLegacySystem: 0,
gameid: gameObj.gameID,
machid: gameObj.machID,
handcount: gameObj.hands,
denom: 25,
showVersion: 'false'
};

Mod edit: removed user's screen name and IP address. Everything else looks ok.

unta8 03-11-2012 02:01 PM

Re: Lock poker major security issue
 
God damn idiots at lock I swear. Luckily I have my casino disabled.

deafeye 03-11-2012 02:01 PM

Re: Lock poker major security issue
 
It's clear that their entire casino is built using Flash/Actionscript... really old school way to do web programming.

I'd wager a bet their casino games could be decompiled, hacked, and altered to change the edge in your favor (or perhaps just autowin) as well, but I'm a nub with actionscript.

deafeye 03-11-2012 02:02 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by Unta8 (Post 31997250)
God damn idiots at lock I swear. Luckily I have my casino disabled.

Irrelevant. You suffer from the same poor architecture as everyone else, unfortunately

stwhite 03-11-2012 02:06 PM

Re: Lock poker major security issue
 
As an American player post-BF, I'm not surprised but it probably won't affect me playing there. Merge/Lock is easily the best option available for U.S. players, which is sad in itself.

I really hope that we get Pokerstars back someday.

peterpjames 03-11-2012 02:06 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by deafeye (Post 31997256)
It's clear that their entire casino is built using Flash/Actionscript... really old school way to do web programming.

I'd wager a bet their casino games could be decompiled, hacked, and altered to change the edge in your favor (or perhaps just autowin) as well, but I'm a nub with actionscript.

well if somebody did that it would at least make them change security lol.

unta8 03-11-2012 02:14 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by deafeye (Post 31997265)
Irrelevant. You suffer from the same poor architecture as everyone else, unfortunately

Not really, my casino doesn't even exist.

Noobie Newbertson 03-11-2012 02:22 PM

Re: Lock poker major security issue
 
This doesn't seem good.

benza13 03-11-2012 02:36 PM

Re: Lock poker major security issue
 
hey op, hope you don't mind but i cross posted this to the official lock forum where Rizen and Shane post. might make something happen. either way i'm peacing on the skin, just thought this would be more effective there.

deafeye 03-11-2012 02:42 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by Unta8 (Post 31997414)
Not really, my casino doesn't even exist.

[ ] understands the storage concerns

If you're trolling, gj, but seriously, turning off the casino doesn't fix the fact that they have major underlying issues in their architecture.

Don't mean to be a dick, but I do architect large systems, including authentication, for a living. I don't want somebody minimizing the concerns because of something they don't understand.

deafeye 03-11-2012 02:42 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by benza13 (Post 31997710)
hey op, hope you don't mind but i cross posted this to the official lock forum where Rizen and Shane post. might make something happen. either way i'm peacing on the skin, just thought this would be more effective there.

By all means make as much noise as possible. They've had over 10 months to fix this on the down low.

kevinb1983 03-11-2012 02:46 PM

Re: Lock poker major security issue
 
I know Lock is still offering some affiliate deals and that other skins have dialed in somewhat but at this point they've pretty much proven to be one of, if not the #1 shadiest Merge skin to be playing on.

If you are on Merge, the little bit of extra value you get by playing on Lock has to be negated by the fact that they've turned a blind eye to quite a few major shenanigans.

In this environment its certainly buyer beware! Why go with the one that raises the most flags?

SGT RJ 03-11-2012 02:51 PM

Re: Lock poker major security issue
 
As a reminder (or new info for those unaware), Lock is also the site that had Girah as a pro, and DQed him after he won a Lock challenge but has never been upfront about what they knew or when.

Girah won the challenge via a chip dump from DogIsHead, which even a blind chimpanzee should have been able to see during even a minimal audit.

2DMB2LIV 03-11-2012 02:52 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by kevinb1983 (Post 31997848)
In this environment its certainly buyer beware! Why go with the one that raises the most flags?

Greed?

JimAfternoon 03-11-2012 02:52 PM

Re: Lock poker major security issue
 
Is this issue the same across all Merge skins?

I tried it on RPM but I banned myself from the casino.

deafeye 03-11-2012 02:57 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by JimAfternoon (Post 31997936)
Is this issue the same across all Merge skins?

I tried it on RPM but I banned myself from the casino.

Don't have an account with any others, but it looks like no.

AllBlackDan 03-11-2012 03:05 PM

Fixing this will take money, most likely YOUR money

Glad Ive not created an account on Merge

unta8 03-11-2012 03:14 PM

Re: Lock poker major security issue
 
Quote:

Originally Posted by deafeye (Post 31997782)
[ ] understands the storage concerns

If you're trolling, gj, but seriously, turning off the casino doesn't fix the fact that they have major underlying issues in their architecture.

Don't mean to be a dick, but I do architect large systems, including authentication, for a living. I don't want somebody minimizing the concerns because of something they don't understand.

Not even trolling. I literally can't login to the casino, I understand it's a problem for everyone, but my casino doesn't exist exist and there is no way for me to view the source code.


All times are GMT -4. The time now is 04:37 AM.

Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.

Copyright © 2008-2020, Two Plus Two Interactive