I see that now as well, as well as my user name being ENCODED.

I also see that it took me posting it on 2p2 to get any response, but when I emailed over 10 months ago it got nothing.

Thanks a ton for the 1 line of code response, when I figure out which encoding mechanism it is (because i tested base 64) i will let the forum know as well.

I appreciate the quick update, but it would have been nice if they SAID SOMETHING.

Also, I know for A FACT, that this is a reversable and crackable 2 way encoding, otherwise you wouldn't need to pass the variables off at all.

Please, update your FLASH SOFTWARE to use the already authenticated session, and use ONE WAY ENCRYPTION not TWO WAY ENCODING.

It sounds like a huge pain in the ass, but the reality is, you're just obfuscating, not protecting, people's data that protects finances. It is pathetic that you have not addressed this situation and more pathetic that you are attempting to sweep it under the rug like you won't be called out on your halfassed shenanigans.

So, to sum up, good quick fix, now FIX IT FOR REAL

Ive seen Jennifer Carson nude dont worry she doesnt encode anything . I also have a video of her talking **** about her own site Lock that she is the CEO of lmao. Is this a prime time to release it?

You know what, the way lock has gone about this has pissed me off enough where I'm announcing what I'm going to do and encourage and present all other hackers (software developers) with this challenge.

Any flash/actionscript can be decompiled and reconstructed so you can work with virtually 100% of the original source. Their casino games are in flash. Now, whether or not they get the probabilities of winning the games from a web service or not is irrelevant, because you could potentially alter the source to bypass those calls and always return true.

I am going to actively work on cracking this in my spare time, and when I get a "solution", I'm not going to abuse it myself, but am instead going to release it publicly for anyone at 2p2 to use if they so chose. I will test this 100% on play money servers to avoid committing an "illegal" act, but can and will not guarantee all that have the potential to use it will do the same.

The ball is in your court now lock, because I know you're finally listening. You better make this a priority to get your **** secure or there will be hell to pay, quite literally.

And you can ban me from your casino all you want I don't give a flying ****. I'm no longer playing poker for a living so I don't need the spew money I have on your site. It will happen, and if you don't take it seriously, you will go out of business, because i know there are scumbags drooling over the chance to use an exploit that I release.

Now, if you ask me for HELP, i will gladly assist you in making a secure site, and URGE you to reach out. My interest is protecting people.

edt: Also, Rizen, your explanation is ****ing garbage. If you really did fix this and didn't QA every single release, then you're not even coming close to doing your job. In fact, you didn't QA it enough to the point where I caught it in the first place. **** your PR. Don't act like the poker community is stupid and can be fooled into thinking you know what you're doing just because you have "scrum meetings" and an "agile process." Un-****ing forgivable.

Now with the new cashier option, you will need to enable it to withdraw or deposit. It is a red alarm in my nbook being from a security IT. Think about it. If the post would be able to copy/paste source on two plus two, can you imagine the $$ it would be for someone to have that information sold to the black market.

Please US regulate online poker. Come on. This is all we got. Now I am concvinced to jump ship. Going to the cage for my money $$$.

Wow, you are seriously badazz when it comes to this. Wish I knew half enough about all that to be able to be, too. I like what you're saying and doing, as this is a serious issue. Keep this updated, please.

While I appreciate the passion, what you're going to end up discovering is that the RTG software isn't that stupid. Regardless of the client being flash, at the end of the day all it does is make an XML request to the server for each "spin" saying "please play x lines at x credits per line". The server returns a set of results (reel values, amounts won, whether a random jackpot hit, updated balances, etc). You aren't going to be able to manipulate the client in any way to influence the outcome of the games even if you recreate exact full source.

Depends on how they implemented the client tbh. Obviously there is some hacky custom work done. Posting another in NVG, because after thought it is clear we are being blatantly lied to.

While in optimal scenarios, everything is handled server side like you described, i highly doubt the developers who dealt with this custom job kept that in mind, seeing as plain text passwords were acceptable to them, and the QA team.

This would stir up a lot of ****. Post please.

Agreed. 'Hacking' the client is (hopefully!) just going to change how things behave on your end, not the actual rolls/RNGs/actions at the server. In theory. Hopefully. (in the old days, MMORPG servers used to be rather trusting of clients, because they weren't fast enough to keep up themselves.. this is how most RPG "speed hacks" originated)

Mind you, if you'd asked me a few weeks ago, I wouldn't have guessed that passwords would be inserted in cleartext into the flash player. So I applaud the testing effort

My 2c about the cleartext password thing in general:

1. We can't draw any direct conclusions about the way Lock poker store passwords on their end just going by this discovery alone -- as has been pointed out, all the stuff being inspected here is client-side only.

2. In saying that, it's awful practice, so perhaps they're just bad at security in general. They probably need an audit or two.

3. Even if they DO store server-side passwords very securely and the only problem is the cleartext password stored in our browser, this is potentially still a huge risk -- XSS, XDH, etc. -- all that's needed is some nasty drive-by javascript (perhaps a malicious banner advertiser on Lock, or even some content embedded by a malicious user in a forum post, comment, etc., fake site hosting their flash player, etc.) and your cleartext password could be exposed to Bad Guys without any communication to Lock's auth servers.

4. Disclaimer: I'm a developer and ex-sysadmin, but not a security professional

Well Eric (Lynch) you seem to alway find the poker sites to be involved with the flawed security and scandals. Nice Job. I hope this gets fixed and is not an issue on other merge skins.

lol at his "explanation"


thats some raw BS

The casino software can not even accurately display a current balance. For example, play some craps...your balance goes up or down to an amount ...lets call it 125.00. Now you want to transfer it back to your poker cashier. You exit the craps screen and a total is displayed in the cashier lobby. The total says 119.25 or something that does not match the total left in the game. You have to exit the casino and re-start the casino for the balance to show correctly so you can transfer it.

If you try to transfer the amount you know you have without exiting and re-entering it does not allow the full balance to transfer over. That little quirk is indicative of all that is odd about the casino at Lock.

How can an RNG be certified or even assumed to work correctly when a balance is not even accurately displayed?

Its a fun little casino but a ill programed cash grab for Lock

+1
their rakeback thing is such a mess... we really needa get rid of the shady poker sites

Looking forward to pics

Wow, monster fail. Here's what you should do:

Crack it, then play a lot of casino games 'honestly' but every now and then activate your crack, so it looks like you're playing properly and just running slightly good. You should be able to fleece them for hundreds of thousands over time, especially if they never catch on.

They have no legal recompense, all they can do is close your account but it will be too late.

No, you aren't getting it. Deadeye is a good guy. He (or she) doesn't want to steal or cheat. Lock isn't afraid of him.

On the other hand, threatening to expose the crack to people who think like you should force Lock to take action. Because Lock should be very afraid of people like you.

How do you change your casino password?