Pokerkeep

Cake Network Security Alert!

Rate this Entry

6 Comments

on 07-27-2010 at 05:02 AM (1068 Views)

Another day, another scandal....

So, a few months ago Poker Table Ratings reported that Cereus Poker Network was using xor data encryption technology which was easily hacked allowing said hacker to view sensitive data in real time. PTR could actually access players hole card information during game play! Cereus fixed the problem by upgrading to the industry standard, SSL encryption, something they should have done years ago...

Well, guess what? They did it again!

This time, it's Cake Network that failed to make the grade. PTR reported yesterday that Cake Poker Network uses a weak xor based encryption mechanism for all network transmissions instead of the industry standard SSL. The encryption key is sent in plain text and can be used to dump data from the datastream to the cake client application.

Hole Cards Revealed in Real Time
PTR reported that while playing at Cake Poker they were able to view players hole cards in real time! Yep, they had super-user capabilities! PTR has reported the security flaw to Cake and has posted a warning on their blog - so far there has been no response from Cake on this matter.

Please, warn your players, every poker room on the Cake Network is open to this hole in their security. Play it safe, don't play on Cake Poker or any of their skins until this is resolved. They need to install SSL encryption before it will be safe to play in their rooms.

It's a sad day for the online poker industry. One would think that after the roasting Cereus took over their lax security, all poker networks would have taken measures to ensure the same would not happen at their networks. I guess not....

Share
- Share this post on
- Digg
- Del.icio.us
- Technorati
- Twitter

Tags: None

Categories: ‎ Uncategorized

« Prev Main Next »

Comments

xYassassinYx - 07-27-2010 06:42 AM
I have to say I'm shocked that there isn't more talk about this...

For anyone who cares here is a link to a 2+2 thread where Lee Jones addresses the issue, which is not reassuring!!! <--- I really stress this but things will obviously be sorted now that this is all out in the public.

Official CakePoker Feedback Thread - Page 397 - Internet Poker - Online Poker Forum

Lee told people there was only a slight chance of them being hacked, but that is all it takes... PTR could have wiped player account's if they wanted to and the fact that he asked their tech/security team in May about how secure things were, this shows just how much they know...

(Obviously Lee wasn't to know about this but if I ran a poker site and my team told me everything was secure and a few months later there was this incident they would all be sacked and I'd be hiring a much better team)
Planet Mark - 07-27-2010 09:11 AM
Terrible, after they watched it happen to Cereus too - Lee Jones must be tearing his hair out, erm, no, wait a sec....
GFPC - 07-27-2010 10:49 AM
Thanks for posting this Terry!! Just wow!
Pokerkeep - 07-28-2010 06:39 PM
Just wanted to post a follow up to this...

I received an email from Cake today, I guess they're not happy with the coverage I'm giving this, anyway, they fed me the expected line of crap. Here's a copy:
*********
Hey Terry,

I saw your recent coverage of the Cake Poker security issue and I wanted to make sure that you had the statement from our poker room manager Lee Jones:

Hi folks -
Here's a status update on the security vulnerability in the Cake Poker software which was reported yesterday. Our development team replicated the described scenario and confirmed that a vulnerability exists which can be addressed to strengthen the security of the Cake Poker software. We take this very seriously and have mobilized a team of senior engineers to address the problem. In short, we are adding an SSL layer to secure all communication between our servers and the client software. We've got everybody who can possibly help on this and will get the development and testing jobs completed as soon as humanly possible.

In the meantime, if you wish to play on Cake Poker (or the Cake Network), we encourage you to follow good security practices:

* Make sure that your computer is secure. Run anti-virus and spyware detection software, don't share your computer's password with anybody else, etc.
* In terms of network security, the most secure thing you can do is play on a wired network. Plugging your computer into a router or modem with an Ethernet cable is the best defense against your packets being sniffed.
* If you are on a wireless home, dorm, or other network that is WPA2 protected, that's your next most secure solution.
* We encourage you not to play on a wireless network which is not password protected. For instance, if the coffee shop around the corner just plugged a wireless router into their cable connection and announced "Free WiFi", you shouldn't be playing on the Cake Network there. It's worth noting, in fact, that you shouldn't be doing anything of financial importance over an unprotected wireless network (poker, banking, etc).

Ultimately, it comes down to a question of degree. No system is 100% secure and each person must weigh the relative convenience of access (e.g. free WiFi at a coffee shop) against the potential security risks.

For our part, we are totally committed to closing this hole in our server-client communication security and it will be our top priority until it's done. We will update you as soon as there is more to say.

Thank you, as always, for your patience and understanding.

Best regards,
Lee Jones

Cake Poker Cardroom Manager

Susan

Publicist
Ridge - 07-29-2010 10:18 PM
Does anyone have a good article on this I can link to?
jdwanchalk - 07-30-2010 03:50 PM
Tell "Susan" to publicize their faulty affiliate links and to stop stealing players.