Two Plus Two Publishing LLC Two Plus Two Publishing LLC
 

Go Back   Two Plus Two Poker Forums > Internet Poker > Internet Poker

Notices

Internet Poker Discussions of Internet poker venues.

Reply
 
Thread Tools Display Modes
Old 03-11-2012, 12:28 PM   #1
banned
 
Join Date: Oct 2010
Posts: 127
Lock poker major security issue

Not sure how this affects the rest of Merge, as I haven't looked into it further.

Lock poker is tightly integrated with their casino. A while back that was the only way to deposit for non-visa card holders in the US.

After you log into locks casino, right click and hit view source (on the non-flash part). You will be shocked to see your password in plain text inside the source. No encoding, no encryption, just plain text. It also means they store your password in plain text for anyone on the lock team to see.

I informed them about this back in June of '11. The response was they'd get right on it. Nothing has been done. I figured enough time had passed for me to put them on blast.
deafeye is offline   Reply With Quote
Old 03-11-2012, 12:41 PM   #2
veteran
 
barradri's Avatar
 
Join Date: Mar 2009
Location: Teaching rich kids in Cairo
Posts: 2,252
Re: Lock poker major security issue

Kind of worrying
barradri is offline   Reply With Quote
Old 03-11-2012, 01:01 PM   #3
Pooh-Bah
 
peterpjames's Avatar
 
Join Date: May 2006
Posts: 5,802
Re: Lock poker major security issue

Pretty ridiculous, is this a Lock thing and not a Merge thing?
peterpjames is offline   Reply With Quote
Old 03-11-2012, 01:01 PM   #4
adept
 
Join Date: Feb 2009
Location: Rosarito Beach Mexico
Posts: 1,183
Re: Lock poker major security issue

playing on Merge is a gamble in itself.
bustuw72 is offline   Reply With Quote
Old 03-11-2012, 01:02 PM   #5
Pooh-Bah
 
peterpjames's Avatar
 
Join Date: May 2006
Posts: 5,802
Re: Lock poker major security issue

Quote:
Originally Posted by bustuw72 View Post
playing on Merge is a gamble in itself.
Sigh we know and have heard this a million times but for many it's a gamble worth taking, i.e they can and have withdrawn more then they ever put into it. This doesn't mean that security issues should be overlooked, etc because "well it's post BF, you deserve what happens etc etc"
peterpjames is offline   Reply With Quote
Old 03-11-2012, 01:38 PM   #6
Carpal \'Tunnel
 
IWEARGOGGLES's Avatar
 
Join Date: Mar 2005
Location: Pittsburgh/Canada
Posts: 7,351
Re: Lock poker major security issue

Had a friend try this and he was able to see his password.
IWEARGOGGLES is offline   Reply With Quote
Old 03-11-2012, 01:48 PM   #7
Is Right
 
NoahSD's Avatar
 
Join Date: Aug 2005
Posts: 18,854
Re: Lock poker major security issue

Could somebody copy + paste the part of the source with your password? (Remove your actual password, obviously.)
NoahSD is offline   Reply With Quote
Old 03-11-2012, 01:59 PM   #8
banned
 
Join Date: Oct 2010
Posts: 127
Re: Lock poker major security issue

Quote:
Originally Posted by NoahSD View Post
Could somebody copy + paste the part of the source with your password? (Remove your actual password, obviously.)
var flashvars = {
user : 'myusername',
sPassword : 'mypassword',
token : '',
encrypted : 'false',
forReal : (forMoney) ? 'true' : 'false',
IP : myIP,
portBase : '0',
returnURL : '',
casinoName : 'Lock Casino',
errorURL : '',
useLegacySystem: 0,
gameid: gameObj.gameID,
machid: gameObj.machID,
handcount: gameObj.hands,
denom: 25,
showVersion: 'false'
};

Mod edit: removed user's screen name and IP address. Everything else looks ok.

Last edited by NoahSD; 03-11-2012 at 04:36 PM.
deafeye is offline   Reply With Quote
Old 03-11-2012, 02:01 PM   #9
old hand
 
Join Date: Jun 2011
Posts: 1,748
Re: Lock poker major security issue

God damn idiots at lock I swear. Luckily I have my casino disabled.
unta8 is offline   Reply With Quote
Old 03-11-2012, 02:01 PM   #10
banned
 
Join Date: Oct 2010
Posts: 127
Re: Lock poker major security issue

It's clear that their entire casino is built using Flash/Actionscript... really old school way to do web programming.

I'd wager a bet their casino games could be decompiled, hacked, and altered to change the edge in your favor (or perhaps just autowin) as well, but I'm a nub with actionscript.
deafeye is offline   Reply With Quote
Old 03-11-2012, 02:02 PM   #11
banned
 
Join Date: Oct 2010
Posts: 127
Re: Lock poker major security issue

Quote:
Originally Posted by Unta8 View Post
God damn idiots at lock I swear. Luckily I have my casino disabled.
Irrelevant. You suffer from the same poor architecture as everyone else, unfortunately
deafeye is offline   Reply With Quote
Old 03-11-2012, 02:06 PM   #12
grinder
 
Join Date: Mar 2010
Location: RoK
Posts: 639
Re: Lock poker major security issue

As an American player post-BF, I'm not surprised but it probably won't affect me playing there. Merge/Lock is easily the best option available for U.S. players, which is sad in itself.

I really hope that we get Pokerstars back someday.
stwhite is offline   Reply With Quote
Old 03-11-2012, 02:06 PM   #13
Pooh-Bah
 
peterpjames's Avatar
 
Join Date: May 2006
Posts: 5,802
Re: Lock poker major security issue

Quote:
Originally Posted by deafeye View Post
It's clear that their entire casino is built using Flash/Actionscript... really old school way to do web programming.

I'd wager a bet their casino games could be decompiled, hacked, and altered to change the edge in your favor (or perhaps just autowin) as well, but I'm a nub with actionscript.
well if somebody did that it would at least make them change security lol.
peterpjames is offline   Reply With Quote
Old 03-11-2012, 02:14 PM   #14
old hand
 
Join Date: Jun 2011
Posts: 1,748
Re: Lock poker major security issue

Quote:
Originally Posted by deafeye View Post
Irrelevant. You suffer from the same poor architecture as everyone else, unfortunately
Not really, my casino doesn't even exist.
unta8 is offline   Reply With Quote
Old 03-11-2012, 02:22 PM   #15
adept
 
Noobie Newbertson's Avatar
 
Join Date: Feb 2011
Location: US of Goldman Sachs
Posts: 820
Re: Lock poker major security issue

This doesn't seem good.
Noobie Newbertson is offline   Reply With Quote
Old 03-11-2012, 02:36 PM   #16
Carpal \'Tunnel
 
benza13's Avatar
 
Join Date: May 2005
Location: caution is a word i cant understand
Posts: 17,183
Re: Lock poker major security issue

hey op, hope you don't mind but i cross posted this to the official lock forum where Rizen and Shane post. might make something happen. either way i'm peacing on the skin, just thought this would be more effective there.
benza13 is offline   Reply With Quote
Old 03-11-2012, 02:42 PM   #17
banned
 
Join Date: Oct 2010
Posts: 127
Re: Lock poker major security issue

Quote:
Originally Posted by Unta8 View Post
Not really, my casino doesn't even exist.
[ ] understands the storage concerns

If you're trolling, gj, but seriously, turning off the casino doesn't fix the fact that they have major underlying issues in their architecture.

Don't mean to be a dick, but I do architect large systems, including authentication, for a living. I don't want somebody minimizing the concerns because of something they don't understand.
deafeye is offline   Reply With Quote
Old 03-11-2012, 02:42 PM   #18
banned
 
Join Date: Oct 2010
Posts: 127
Re: Lock poker major security issue

Quote:
Originally Posted by benza13 View Post
hey op, hope you don't mind but i cross posted this to the official lock forum where Rizen and Shane post. might make something happen. either way i'm peacing on the skin, just thought this would be more effective there.
By all means make as much noise as possible. They've had over 10 months to fix this on the down low.
deafeye is offline   Reply With Quote
Old 03-11-2012, 02:46 PM   #19
adept
 
kevinb1983's Avatar
 
Join Date: Dec 2006
Location: Northern Panhandle
Posts: 1,093
Re: Lock poker major security issue

I know Lock is still offering some affiliate deals and that other skins have dialed in somewhat but at this point they've pretty much proven to be one of, if not the #1 shadiest Merge skin to be playing on.

If you are on Merge, the little bit of extra value you get by playing on Lock has to be negated by the fact that they've turned a blind eye to quite a few major shenanigans.

In this environment its certainly buyer beware! Why go with the one that raises the most flags?
kevinb1983 is offline   Reply With Quote
Old 03-11-2012, 02:51 PM   #20
Inspecting members
 
SGT RJ's Avatar
 
Join Date: Feb 2009
Location: Mourning Spock. And Snape.
Posts: 44,366
Re: Lock poker major security issue

As a reminder (or new info for those unaware), Lock is also the site that had Girah as a pro, and DQed him after he won a Lock challenge but has never been upfront about what they knew or when.

Girah won the challenge via a chip dump from DogIsHead, which even a blind chimpanzee should have been able to see during even a minimal audit.
SGT RJ is offline   Reply With Quote
Old 03-11-2012, 02:52 PM   #21
adept
 
Join Date: Jul 2010
Posts: 1,011
Re: Lock poker major security issue

Quote:
Originally Posted by kevinb1983 View Post
In this environment its certainly buyer beware! Why go with the one that raises the most flags?
Greed?
2DMB2LIV is offline   Reply With Quote
Old 03-11-2012, 02:52 PM   #22
Carpal \'Tunnel
 
JimAfternoon's Avatar
 
Join Date: Mar 2011
Location: On Location
Posts: 6,903
Re: Lock poker major security issue

Is this issue the same across all Merge skins?

I tried it on RPM but I banned myself from the casino.
JimAfternoon is offline   Reply With Quote
Old 03-11-2012, 02:57 PM   #23
banned
 
Join Date: Oct 2010
Posts: 127
Re: Lock poker major security issue

Quote:
Originally Posted by JimAfternoon View Post
Is this issue the same across all Merge skins?

I tried it on RPM but I banned myself from the casino.
Don't have an account with any others, but it looks like no.
deafeye is offline   Reply With Quote
Old 03-11-2012, 03:05 PM   #24
Pooh-Bah
 
AllBlackDan's Avatar
 
Join Date: Nov 2008
Location: The Moon
Posts: 4,192
Fixing this will take money, most likely YOUR money

Glad Ive not created an account on Merge
AllBlackDan is offline   Reply With Quote
Old 03-11-2012, 03:14 PM   #25
old hand
 
Join Date: Jun 2011
Posts: 1,748
Re: Lock poker major security issue

Quote:
Originally Posted by deafeye View Post
[ ] understands the storage concerns

If you're trolling, gj, but seriously, turning off the casino doesn't fix the fact that they have major underlying issues in their architecture.

Don't mean to be a dick, but I do architect large systems, including authentication, for a living. I don't want somebody minimizing the concerns because of something they don't understand.
Not even trolling. I literally can't login to the casino, I understand it's a problem for everyone, but my casino doesn't exist exist and there is no way for me to view the source code.
unta8 is offline   Reply With Quote

Reply
      

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




All times are GMT -4. The time now is 05:36 AM.


Powered by vBulletin®
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 ©2011, Crawlability, Inc.
Copyright 2008-2010, Two Plus Two Interactive
 
 
Poker Players - Streaming Live Online