Quote:
Originally Posted by EddieKing
Hi All ,
My Name is Eddie Harari and I am the one wrote the article on GG networking security hole:
https://cardplayerlifestyle.com/ggne...-player-names/
I had a few meetings with technical people from GG team and i have sent them email about the ability to view hole cards in certain conditions ( I had the ability to see hole cards in NEAR real time ).
I also told GG about the possibility about such incident and I was more concerned about the fact that they are not monitoring the action as they claim to do, I also offered to help them with real data monitoring and RTA detection.
Their response was: Thank you but we know what we are doing , they were more concerned about fishing sites then discovering cheaters in the software.
I think it is very likely that this "hack" is one of two options:
1. Superuser like activity - GG networking has a "back-door" to view hole cards in real time.
2. Race condition in the Craft interface - Viewing live cards of all the players via the CRAFT interface.
I have sent GG networking a proof of concept where i can view cards about 5 seconds after the hand is over / this includes hole cards of all players (even the people who mucked) I also told them that I suspect that given a little time and research I may gain the ability to beat the 5 seconds and see the hole cards in real time.
GG dismissed my claims and told me they are monitoring all players and such incident can't happen on their site.
Isn't the important caveats here:
a) That your exploit pertained only to snooping the local network traffic of a specific player? As I understood it from that blog post (but correct me if i'm wrong!), you could not see _all_ player hole card information; rather, hole card info sent to each player across the network unencrypted. Thus, it was not a potential "superuser" situation you found, rather a potential local exploit on insecure wifi against a specific player?
b) that GG responded and said they had implemented SSL encryption to fix the hole?
These are genuine, good faith questions, not rhetorical. Just trying to understand.
> I have sent GG networking a proof of concept where i can view cards about 5 seconds after the hand is over / this includes hole cards of all players (even the people who mucked) I also told them that I suspect that given a little time and research I may gain the ability to beat the 5 seconds and see the hole cards in real time.
It would be insane if their systems made if even _feasible_ for PokerCraft network traffic to send holecard information _while the hand is in play_. I know you say you're confident you can beat the 5 seconds... but there's a world of difference between "see hole card information immedately after hand is over" and "before hand is over". I'd like to think that "before hand is over" was basically impossible i.e. never exposed through their API at a very low level. Does your research indicate that this is indeed possible?
Last edited by Hood; 12-29-2023 at 07:14 AM.