Open Side Menu Go to the Top
Register
SECURITY ISSUE: Personal documents posted to the open web SECURITY ISSUE: Personal documents posted to the open web

06-21-2018 , 09:19 AM
I just received a customer satisfaction survey (lol) about my cash out. It included the file name of the bank statement I sent to Global which DIRECTLY LINKED TO THAT DOCUMENT ON A NON-PASSWORD PROTECTED WEB SITE.

YOU PUT MY BANK STATEMENT ON THE OPEN WEB

ARE YOU ****ING INSANE?
06-21-2018 , 09:36 AM
Do you mean the rate our customer service reviews?

Dude they don't put your documents anywhere that's ridiculous, it just links to Zendesk. The reason you could see your documents is because you were already signed in through your email(global poker account) and you can see your docs that you sent in on your ticket.

I can assure you Zendesk is very safe and password protected. I'm sure when a moderator gets in here they will say the same thing, there's nothing to worry about there.
06-21-2018 , 09:44 AM
If it occurred through zendesk, then you should be fine.

https://www.privacyshield.gov/partic...&status=Active

They are a security shield approved company in the US and the EU. I'm sure other nations are part of it, but not listed in that link.

If it was through a third party....I'd be rightfully concerned.
06-21-2018 , 10:08 AM
I am not signed into Zendesk. I have never created a Zendesk account. I just opened the link from a separate computer that has never been used for anything related to Global or Zendesk. Then I opened the link through my phone to see what would happen with a different IP address. It opened just fine both times.

This document is available to anybody in the world who puts the link in their browser. This is seriously ****ed up.
06-21-2018 , 10:09 AM
If anybody out there has links to documents on Zendesk, please find a way to test those links without being logged in anywhere.
06-21-2018 , 12:33 PM
Yeah.... this seems to be a thing
06-21-2018 , 12:42 PM
I've been in contact with one mod who I believe will be posting ITT later. I also have a PM out to Bobo Fett offering to share the link with him for confirmation of what I have said.
06-21-2018 , 12:46 PM
I can confirm that I was able to see a copy of zikzak's bank statement from a link he sent me. The link was to Chumba Casino's subdomain on zendesk, and I was able to see the statement without being logged into zikzak's zendesk account.
06-21-2018 , 12:53 PM
i'm guessing this feels similar to how J-law felt during the fappening
06-21-2018 , 12:55 PM
It would be in violation of the ECPA and right to reasonable expectation of privacy. If anyone can take that link and attain access to someone else's personal data, Global would be a an incredible level of risk.

The way they handled this roll-out certainly suggests they could **** up any aspect of logical business sense.
06-21-2018 , 12:56 PM
It would be really helpful if other people who have uploaded documents through Zendesk can check to see if they can be accessed by anybody with just a web address. Right now I don't know if this is a one-off fluke event or if Zendesk/Global are routinely storing customer documents on a completely unsecured website.

The format of the URL I received via email is:

https://chumbacasino.zendesk.com/attachments/token/[random token string]/?name=[uploaded file name]

This URL then forwards to:

https://p5.zdusercontent.com/attachment/[long random string]

which displays the uploaded document. At no point are there any login steps or other security measures.
06-21-2018 , 01:00 PM
Quote:
Originally Posted by zikzak
It would be really helpful if other people who have uploaded documents through Zendesk can check to see if they can be accessed by anybody with just a web address. Right now I don't know if this is a one-off fluke event or if Zendesk/Global are routinely storing customer documents on a completely unsecured website.

The format of the URL I received via email is:

https://chumbacasino.zendesk.com/attachments/token/[random token string]/?name=[uploaded file name]

This URL then forwards to:

https://p5.zdusercontent.com/attachment/[long random string]

which displays the uploaded document. At no point are there any login steps or other security measures.
Says no longer available, client is no longer using zendesk
06-21-2018 , 01:15 PM
Quote:
Originally Posted by zikzak
It would be really helpful if other people who have uploaded documents through Zendesk can check to see if they can be accessed by anybody with just a web address. Right now I don't know if this is a one-off fluke event or if Zendesk/Global are routinely storing customer documents on a completely unsecured website.

The format of the URL I received via email is:

https://chumbacasino.zendesk.com/attachments/token/[random token string]/?name=[uploaded file name]

This URL then forwards to:

https://p5.zdusercontent.com/attachment/[long random string]

which displays the uploaded document. At no point are there any login steps or other security measures.
Works the same way for the email I got from them. They asked for feedback and included a link to my bank statement. The link is in the same format that you posted.
06-21-2018 , 01:40 PM
Quote:
Originally Posted by a dewd
Says no longer available, client is no longer using zendesk
Regardless... the image is being stored on zdusercontent.com and still accessible starting with the chumbacasino.zendesk.com link
06-21-2018 , 01:43 PM
Quote:
Originally Posted by OnMyGrizzy
Regardless... the image is being stored on zdusercontent.com and still accessible starting with the chumbacasino.zendesk.com link
The link didn't work when I clicked it, but regardless....the fact that it ever was is, as explained, immense carelessness and stupidity. If the computer used to access had some keylogger hidden, the other side would now have access to it.

It just reeks of extremely unprofessional action and clueless mgmt.
06-21-2018 , 01:44 PM
There's someone on the backend of this website with ZERO clue of security then.

If this is true, which it seems it's been confirmed ITT, even though their website is built on the React framework (I'm a developer, experienced in this) which was uplifting for me to see, I have much, much less faith in their site seeing this.

Now I'm suspect of the fact they post public identifiable hand tokens to each table during the hand, and multiple other things. Who says someone isn't somehow decrypting the action/flop/card states/observables back to the tables then?

What the, you guys make millions of dollars and can't even site up CORS rules or some basic ass protection?

Get real, I'm cashing out my balance ASAP.
06-21-2018 , 01:47 PM
Ya uhhhhhh this is completely ****ed....
06-21-2018 , 01:51 PM
Quote:
Originally Posted by a dewd
The link didn't work when I clicked it
The links still work if you have the token string and file name
06-21-2018 , 02:00 PM
Lol it's not even worth cash out at this point of your balance is kinda low.
06-21-2018 , 02:04 PM
Quote:
Originally Posted by OnMyGrizzy
The links still work if you have the token string and file name
Ugh, my bad. I didn't notice the 'random string' aspect of the link.
06-21-2018 , 02:11 PM
Yeah, I'm not actually gonna post the full link to my bank statement itt
06-21-2018 , 02:18 PM
Kinda sad how many online poker starved Americans thought Global Poker was their savior.

Global Poker is the ultimate nut low in everything.

It amazes me so many people still play on there, when there are so much better on-line sites that are open to the U.S. with crypto..
06-21-2018 , 02:25 PM
So anyway, now that we have confirmation from other people it's worth pointing out that just because this is the first time some of us have had access to these links doesn't mean these are the only personal documents being stored on the open web. In fact it's pretty reasonable to assume that everything uploaded to Zendesk is just sitting out there on an unsecured server, waiting for somebody to hit the right URL.

This would have been massively inept security 20 years ago. To have it happen in 2018 is absolutely mind boggling.
06-21-2018 , 02:33 PM
Also worth pointing out is that Global and Zendesk surely know about this by now, but that server is still up and operating, with all our identity documents and bank statements on it.
06-21-2018 , 02:45 PM
I will say that things like Zendesk almost certainly come with protection against this type of thing and even if not, protecting it by login is a pretty simple process.

If they paid someone to write such a sophisticated poker app, surely the oversight on the support side of things says something.

Very concerning. Joey/Kimbr, please chime in and notify your superiors immediately, just for your own sakes and to keep your jobs when someone drags the entire company through a massive lawsuit.

PS: In before someone says the 'randomly appended string' is enough security. It doesn't matter. A non sophisticated crawler even written in a low level language could easily discover these documents, even if they're set to noindex, nofollow, and behind a usergroup permissions setting (CHMOD) on the web server.

      
m