Quote:
Originally Posted by GGcare
Tried to summarize it all, cause #GGcare
MoneyTaker69 exploited a vulnerability in the software, which made it possible for him to see the equity in real-time. He wouldn’t see the hole cards of the other players, but he’d always know his chance of winning the hand. Simply put, the server would know what cards the other players were holding, it’d calculate the equity based on this, regardless of whether there was an all-in situation, and MoneyTaker69 would tap into this info, always knowing whether he was ahead or behind. It’s possible the client-side hack by MoneyTaker69 would trigger additional equity calculations – that server side normally wouldn’t do it, unless there’s an all-in – but that’s equally bad, as it means GG never bothered putting an all-in condition in place for equity calculation.
MoneyTaker69 chose to make use of this exploit in such a moronic fashion that there’re only two possible explanations:- He didn’t have the faintest idea about poker.
- He wanted to get caught and/or expose the GG security, or rather lack thereof.
While the case is great for shedding light on the dire state of GG security, it’s really about the bigger picture here. How was this made possible in the first place? How widespread is cheating on GG?
Firstly, GG’s use of Adobe AIR is a concern on its own. As they said in their statement: “since part of our desktop client leverages the Adobe Air framework, which has attack vectors that other frameworks do not”. Adobe AIR is part of the problem here, but it’s a symptom of a more severe issue: GG are prioritizing getting new features and games out, over the integrity and security of their games. There’s no good reason for using Adobe AIR, other than it enables them to release stuff faster than would have otherwise been possible, but it's at the cost of additional “attack vendors”/vulnerabilities. This is something they’re obviously aware of, and they’ve simply made the decision that game integrity can’t take priority.
It's not just about Adobe AIR though. There’re more concerns related to what seems to be a general trend of prioritizing time to market over everything else. As a another member wrote earlier:
So many security flaws in the GG design:- Calculating all-in equity prior to all-in state;
- Communicating all-in equity to client prior to all-in state;
- Communicating all-in equity in unencrypted format;
- Failing to force security updates to client before allowing further play;
- Concealing a known vulnerability from users even after it was apparent that it was known and exploited;
- Failing to conduct regular audits of accounts with extreme variance
Lastly, the way GG has handled this case is anything but confidence inspiring:- According to their statement, they became aware of the issue on the 16th of December but never announced it. Only after public outcry, 13 DAYS LATER, they issued a statement. GG were aware their game integrity could be compromised but did not deem it necessary to let the players know. Or, almost worse: they had no idea how the vulnerability could be exploited.
- Once they issued a statement, they made sure to only do it on their .com blog, making the content unavailable to the majority of players, due to a redirect being in place.
- MoneyTaker69 was allegedly reported already on the 25th, but the report was dismissed. Only after it became a thing on 2+2 and X did GG act.
- They’ve proudly announced they’ll double the size of their “technical security team”. Great, but that means they’ve either had way too small a team (despite claiming to take security extremely seriously) or they’ve already got a big team but realize there’ve been operating with a fundamentally flawed model for the past year and foresee bigger challenges in the future, i.e. state of security is terrible. Regardless of the size of their security team, they must change their way of working. A bigger team will help, sure, but if time to market continues to be priority number one, it won’t be a fix.
Is it likely that MoneyTaker69 just doesn’t have the faintest idea about poker, that he simply didn’t want to become rich and that there’s no one else that took advantage of the issue? Millions could have been made – and perhaps have been made? – with this exploit. It must be considered unlikely that an individual who had the technical know-how to hack the all-in equity was such a dumbass when it comes to taking financial advantage of it. There’s at least a real possibility of this being significantly bigger than the one account.
This is what matters. The issue is GG's whole approach to security and how they prioritize speed of release over security, not the isolated incident (which may not be so isolated).
Trying to investigate chipdumping cases/cases with unnaturally high winrates, that doesn't make all that much sense, in the context of this specific issue. If multiple players took advantage of the exploit, it's unlikely they'll have done it as blatantly as MoneyTaker69. If it's been used in a smart way, there'll be no way for you to identify the perpetrators. GG might not even be able to do so, based on their blog post, as they likely don't have any server side logs that'd make it easy to identify. And if they do, there's no way they'll ever disclose it, if there's more than this one case.
If you live in a country where GG holds a local license, it could be worth flagging this to the local regulator, but it's unlikely they'll understand the severity of the issue.
The local regulator could demand a formal investigation and data to be shared with them.