Pokerroom's chat was hacked twice this weekend. It was only viewable to those with the download client, but a player clearly not seated on the tables was spamming the chatbox. PR has no observer chat. As the de facto head of the Kick PR's Ass Movement over there, the Saturday chat hacker contacted me via PM. I had no idea who this guy was or what he could do when he requested my email addy to send me 'screenshots of collusion.' I never received them. He calls himself proX(tm), and claimed to be a friend of the so-called 'splices,' the hacker behind the securident site. He also showed me the lobby he created, and it was the real deal. Most insidious thing about the lobby he showed me was that it logged you into an account supposedly banned for life. He clearly demonstrated the vulnerability of PR's source code. While his effect on the games was purely psychological, I for one am of the opinion that it's only a matter of time before the two of them or someone else takes it to the next level.
The posting of personal information was the result of 'social engineering' pulled off by these same two people if their claim of "ownership" of the TotalBluff site on its emptied homepage was any indication of who did it. Reportedly, one or both of them swindled the provider into believing they were OwlLawyer, or some other TB admin and persuaded them to give them the Admin Passwords through the provision of some kind of information they should not have had. According to the grapevine, the pair wiped their server and then posted the content of TB Private Messages in Pokah containing phone numbers, passwords, flimsy accusations of collusion (one email was an offer of staking), and otherwise private personal conversations released for no other reason than individual humiliation. This was a Federal offense whoever did this, involving wire fraud and credit card fraud, and the FBI, reportedly, is investigating ProX(tm) and splices.
What I found most disgusting, excluding the pure maliciousness of the TB attack, was PR's complete inability to delete those posts on the spot. How the most BASIC of security measures, the removal of publicly posted private information, could not be affected by SOMEONE in their organization is unforgivable. Getting hacked is one thing. Getting used is another.
TOD THE MOD
Someone took the Java client and ran it through a decompiler. Now, this is not something that is difficult to do, and what you get out is a source code that will create the bytecode of the Java client, but in a pretty garbled state (depending on how intelligent the decompiler is). Doing this is against our Terms of Service, but it isn't something that we in any way can do anything about - you can run any program, Java or Windows binary through a decompiler and get something out from it.
The person then managed (which is quite impressive, I must admit) to figure out what certain parts of the source code would do - basically he figured out the structure of the program, to some extent.
The third stage of what he did was to alter the code in some ways (specifically regarding to the chat functionallity). Now, the chat functions are in now way connected to the actual game play. The game play is controlled by the game servers - they deal the cards, enforce the rules, awards the pots etc. There is a big transaction system in the back end that makes sure that all bets are accounted for, all game actions valid and so on. The chat is different - it doesn't run through all the checks and balances that the actual playing of the game does. Because of this, the "hacker" managed to send incorrect chat information. Now, this is of course not good, and it has forced us to take a new look on how we handle chat on the server level. But also, there has been no breach of security when it comes to the game play.
The changes made to the client included a few other things - it was based on the Java client for one of the other operators in the Network, but identified itself as a PokerRoom.com client. The clients for different operators are almost identical - only graphical elements are changed, so what was done was something roughly equal to a "modding" of the client, in that it became a PokerRoom.com client with a different set of graphics.
The fact that he used the "hacked" client to log in with a blocked account is also something that we're now looking into. Normally when you log in with a blocked account an error code is sent back to the client and that is then handled by the client. He by-passed this error code handling routine, and because of this was able to log in any way. This is probably the most serious part of the "hack", but still, it doesn't put anyone elses account at risk.
The second issue that has been brought up here was very nicely explained by djdaddio, and we, together with TotalBluff, are looking into that incident as well. I fully understand his frustration with the fact that personal information was posted in Pokah and not deleted for several hours - it was poor performance on our part, no doubt about that. The reason for it is quite simple though, and probably something the "hacker" counted on - the posts were made on Good Friday, at a time where the Support and Pokah staffing is on a natural low. Because of this it took too long for us to become aware of the posts, and hence remove them. For that we're very sorry.
Todd