iPoker Login - serious security flaw

niborm

This mainly applies to those players who use unsecured computers, such as those in internet cafes, so won't apply to most posters here I assume. Your password will not be visible to others, but they will be able to log into your account from that PC if you either

a) do not uninstall the software after use
or
b) login more than once and uncheck the remember password box on your second login.

The issue is this...

1. Download the software and install onto a PC
2. Login as normal and ensure the 'Remember Password' box is unchecked
3. Close the software
4. Re-open the software and you will see that your username (visible) and password (encrypted) will be there and the 'Remember Password' checkbox will be checked despite you having it unchecked previously.

This leaves your account seriously compromised (on that PC only). I informed the skin I use over two weeks ago, and apparently the issue has been raised with Playtech. There has been no warning mail sent out to users in the meantime warning of this risk, or if there has, I certainly didn't receive it, so I posted this in case there is anyone else here who has the misfortune to have to use an internet cafe to play.

Mellor

A much quicker solution is to log out before you close and then log in (or try to) with an incorrect password.

leaba

I remember a thread on this same flaw months ago. I also remember at least one thread about a guy who's account had been compromised in an internet cafe. IIRC he assumed he'd done something stupid.

Any of the guys working for IPoker skins gonna make a comment?

strewelpeter

Accessing any password secured financial account on any public computer is seriously -ev
It is just too easy to lose your personal information.

Killme00

uninstall the software when finished

BigCityBanker

leaba wrote: »

Any of the guys working for IPoker skins gonna make a comment?

I have contacted Playtech and asked them to investigate this.

DeVore

Does this only happen the first time you download the software?

DeV.

ianmc38

I've had this problem since the changeover to Ipoker. When you click it after logging in for the 2nd time it works, but the first time your details stay there regardless of whetehr you untick save password or not. AFAIR this happens with all skins.

Mr. Flibble

Didn't someone here lose a few k after some one logged into their account on a public computer? Maybe they should reopen the case if this is how it happened.

Daithio

It's a pretty serious flaw that needs to be fixed. I'm no computer expert but I can't imagine it would be too difficult to patch up. The fact that they haven't done it already when the issue was raised before is quite worrying.

RoundTower

I've noticed it happens occasionally but NOT usually. I think it may indeed be only the first time you log in. Frankly it's disgusting from iPoker.

DeVore

I tried to test for this on my machine and spent a long time trying to reproduce it and couldnt, hence my question. Either way, it IS a bad flaw that can be easily fixed. We'll file a report on it too to add weight to PPP's report.

DeV.

RoundTower

try this: log in and keep remember password checked. log out. log in again, this time uncheck remember password. Kill the casino.exe process or restart your computer or something (maybe just disconnecting from the network works). Then try to log in again. I think this is one spot where I had the problem but I don't have my computer here so I can't check.

Also, if the network is down when you try to log in, sometimes the program just hangs instead of giving the "cannot connect to gaming server. continue in offline mode" message. I think this can also cause the problem.

niborm

DeVore wrote: »

Does this only happen the first time you download the software?

DeV.

Every machine (prob about 12) I have used since I noticed this, I have had the issue. I have downloaded onto the same machine multiple times and each time, the same issue occured.

ocallagh

I noticed this security flaw yesterday while at an internet cafe. It only happened after I downloaded and installed GJP for the first time. I'm on a different PC today and did some investigating. I'm fairly sure this is the problem

When you first download ipoker, the decision to remember your password is an opt-out rather than an opt-in. This means the user MUST uncheck the box to opt-out. The client stores all this information in the registry. The key is called lobby-rememberrealpassword

When the client downloads and installs for the first time, this key does not seem to be created. So when the user unchecks the box, the client attempts to set the binary value of the key to 0, it fails. The key is only created after the user logs in for the first time. So, because the remember password is always set to true unless otherwise specified (opt-out) we have this problem.

Two ways to fix,

1) Make it opt-in
2) Create all required keys when GJP is installed for the first time.

In addition to this, there might be security issues in Internet Cafes for modifying the registry (unlikely) which means all required registry settings are correctly setup on your home PC, but not in some Internet Cafes.

Also, to recreate you'll need to uninstall GJP and then manually delete all refeneces to GJp in the registry

strewelpeter

ocallagh wrote: »

I noticed this security flaw yesterday while at an internet cafe. It only happened after I downloaded and installed GJP for the first time. I'm on a different PC today and did some investigating. I'm fairly sure this is the problem

When you first download ipoker, the decision to remember your password is an opt-out rather than an opt-in. This means the user MUST uncheck the box to opt-out. The client stores all this information in the registry. The key is called lobby-rememberrealpassword

When the client downloads and installs for the first time, this key does not seem to be created. So when the user unchecks the box, the client attempts to set the binary value of the key to 0, it fails. The key is only created after the user logs in for the first time. So, because the remember password is always set to true unless otherwise specified (opt-out) we have this problem.

Two ways to fix,

1) Make it opt-in
2) Create all required keys when GJP is installed for the first time.

In addition to this, there might be security issues in Internet Cafes for modifying the registry (unlikely) which means all required registry settings are correctly setup on your home PC, but not in some Internet Cafes.

Also, to recreate you'll need to uninstall GJP and then manually delete all refeneces to GJp in the registry

Wow!
It is criminally negligent that any piece of software that manages and holds money for customers could be allowed out into the world with a bug of this magnitude. The incompetence is staggering.

leaba

Well mistakes are always made, but with the problem reported and nothing done, that's real negligence. As a customer, it doesn't give me the warm and fuzzies.

With the problem there for so long, I wonder how many people's accounts have been compromised and how many templated customer support emails have gone out with a standard response about password security.

It shows an attitude to security which would make me worry.

DeVore

*sigh* ... this ISNT a GJP issue, its an iPoker issue, it will happen with any iPoker skin. If this were our problem I would have fixed this immediately. PPP, Titan, Noble, all of them will have this problem too.

I'm going to mail this thread to our contacts in iPoker.

DeV.

ocallagh

oops, sry - meant ipoker not GJP... and in fairness to GJP the initial poster (whom I'm travelling with) had contacted a totally separate skin in the first place (not GJP) so this would be the first time GJP heard of it

DeVore

I had heard of it but when I tried to recreate it I used GJP cos I had it installed (obv!) and hence didnt get the problem. I checked the registry but again it was already installed and so everything looked fine (I also checked the password is encrypted, which it is though). So reckoned since it wasnt one of our users, it was once off user error and thought no more about it. The first person to report it was using a different skin (PPP afaicr) and we left the argument/thread at that point for decorum reasons.

DeV.

BigCityBanker

This issue has been corrected and resolved