Quote:
Originally Posted by dougmanct
While I appreciate the passion, what you're going to end up discovering is that the RTG software isn't that stupid. Regardless of the client being flash, at the end of the day all it does is make an XML request to the server for each "spin" saying "please play x lines at x credits per line". The server returns a set of results (reel values, amounts won, whether a random jackpot hit, updated balances, etc). You aren't going to be able to manipulate the client in any way to influence the outcome of the games even if you recreate exact full source.
Agreed. 'Hacking' the client is (hopefully!) just going to change how things behave on your end, not the actual rolls/RNGs/actions at the server. In theory. Hopefully. (in the old days, MMORPG servers used to be rather trusting of clients, because they weren't fast enough to keep up themselves.. this is how most RPG "speed hacks" originated)
Mind you, if you'd asked me a few weeks ago, I wouldn't have guessed that passwords would be inserted in cleartext into the flash player. So I applaud the testing effort
My 2c about the cleartext password thing in general:
1. We can't draw any direct conclusions about the way Lock poker store passwords on their end just going by this discovery alone -- as has been pointed out, all the stuff being inspected here is client-side only.
2. In saying that, it's awful practice, so perhaps they're just bad at security in general. They probably need an audit or two.
3. Even if they DO store server-side passwords very securely and the only problem is the cleartext password stored in our browser, this is potentially still a huge risk -- XSS, XDH, etc. -- all that's needed is some nasty drive-by javascript (perhaps a malicious banner advertiser on Lock, or even some content embedded by a malicious user in a forum post, comment, etc., fake site hosting their flash player, etc.) and your cleartext password could be exposed to Bad Guys without any communication to Lock's auth servers.
4. Disclaimer: I'm a developer and ex-sysadmin, but not a security professional