Bodog Poker Security Warning



This is what took 3 days to hack. Now all player's account numbers are exposed for the potential of hacking individual accounts plus the entire point of anonymous tables has been shown to now only favor people who datamine with companies like this one. If this hack was so easy, what about all of the other issues that have come with this "upgrade"? How long until even more security issues are exposed? I beg anyone that is promoting Bodog to immediately stop, at least until they fix this major security issue or really, go back to the old software.

I think this could qualify Bodog for the biggest blunder of the year. Bodog claimed this made everything more secure and we should 100% trust their security department meaning there is no reason for 3rd party oversight. According to them, all of the players screaming about the potential security issues were wrong. Obviously we were right and until Bodog reverts back to the old software they cannot be considered a secure place to play online poker.
 
Last edited by a moderator:
It appears that Bodog's new software ignores casino self exclusions as well. The CS reply shows that the issue will not be resolved and tells the player not to click the icon if they do not want the casino games:

You do not have permission to view link Log in or register now.


This puts Bodog in conflict with being considered an accredited casino:



https://www.casinomeister.com/accredited-casinos/

Just wanted to confirm that the Bodog Network team is going to fix this asap!

Becky
 
You do not have permission to view link Log in or register now.


There is the dataminer's full explanation of what has happened here.

Even though this was discovered almost 24 hours ago the software is still operating and Bodog has said nothing. We know they are reading these forums...

I see, screen names are gone, but what is happening is that each client is being sent the Bodog ACCOUNT NUMBERS of every other player at "your" table. This is WORSE than others being able to see your screen name, as the account number is one of the secure fields used to log in to an account. It would be like casinos displaying my account number on the scoreboard of things like MPV tournaments. I have to admit, some MGS casinos actually DO this when they set up the alias for you, but mostly it seems to be naive players choosing their account numbers as their alias.

The account number issue here would seem to render all PAST data mining worthless, as it is based on screen names, but unbeknown to players, a fresh start could be made by tracking based on these account numbers.

Bodog are also accused of lying in their "spin" by indicating that this kind of hack could not even happen because the "data is not even sent to the client" and so it could never be intercepted.

It was easily spotted that these numbers were account numbers with the digit "1" added to the end by their programmer sitting down at the table, and comparing his own anonymised ID against his login, revealing the formula used by Bodog.

They finish off by arguing that the end result is WORSE than before, because the victims of the pro players have been lulled into a false sense of security, whereas before they KNEW they could be identified by their screen name, and tracked, even if they were unaware of how it was done, and by whom, or how much of an advantage it gave the pro players.

It seems the "party cracker" has been around for a while, so players there have been falsely believing they were completely anonymous to the "sharks", when in fact they were often "easy prey".

It seems odd that this company have decided to blow the whistle, rather than develop and sell "Bodog cracker" for profit, even though data mining poker hand histories is their business, and anything that stops this could drive them out of business. It seems THEY are "up to something" too, and have decided to sacrifice a potential "Bodog cracker" money making venture in order to gain some moral high ground that they probably hope will give them an even better opportunity later on.

It could be that they are trying to pressure Bodog into a rollback to the old software, and kill the idea among other poker sites that anonymous tables is a bad move. Their motive for this would be obvious, their old tools are no longer at risk of becoming obsolete, and this preserves the value of work they have already undertaken, and are profiting from.


It does not matter whether it is an account number or some other fixed numerical identifier that Bodog sends to the client, but hides from the "recreational user". ANY numerical value that is "hard wired" to a particular player can be used for datamining and player tracking, this value needs to stay on the server, and if the client needs something, it should be a disposable ID, a bit like the "one time only" credit card numbers generated by desktop virtual payment cards like Net+. This would ONLY be tied to a particular player for that one game at the one table, but could NOT be used to track and profile their playing style over a period of time at a number of different tables. I thought this was what Bodog had done to start with, and why a new statistical approach would be needed in order to develop a new set of tools for the pro player.
 
Still nothing from Bodog except banning the accounts of people that discovered this security violation. Instead of accepting the fact they have some serious security issues and swallowing their pride, they ban the person that did their IT and developer's job for them for free. That is an interesting solution to getting caught with software that needs to be destroyed.

While this does not rank up there with insider cheating scandals or MG skin implosions, this is still a tier 2 scandal. Does Bodog think this is going to go away?
 
Still nothing from Bodog except banning the accounts of people that discovered this security violation. Instead of accepting the fact they have some serious security issues and swallowing their pride, they ban the person that did their IT and developer's job for them for free. That is an interesting solution to getting caught with software that needs to be destroyed.

While this does not rank up there with insider cheating scandals or MG skin implosions, this is still a tier 2 scandal. Does Bodog think this is going to go away?

A cover up in progress. This will ensure that others who have found this glitch and others will KEEP QUIET rather than blow the whistle and risk having their account banned. It will also stop anyone with the skills to investigate further from being open about it.

It is too late, the glitch is in the public domain, along with how to exploit it. There are bound to be players who will now start trying to use it to gain an advantage, and even other tool developers that will try to sell exploit tools on the black market.

Having buried the issue, the recreational players will again be lulled into a false sense of security, believing the glitch had been "dealt with", and could no longer be used. The players using it will be able to do so in the knowledge that Bodog officially deny such a glitch even exists any longer, and their victims believe this to be true.

If an account number is a critical piece of information needed to hack an account, there will be a rise in complaints from players who believe their Bodog accounts have been hacked, even though they have kept this information secure at their end as responsible players.
 
The latest from HH Smithy. Bodog has had two full business days to respond to this and fix it (which appears to be impossible with their software) or go back to the previous version. They are usually very vocal about everything. Now that it has been shown that they are not running a secure online poker room they disappear.

 
Last edited by a moderator:
You do not have permission to view link Log in or register now.


So their software gets cracked in what is claimed to be 3 hours. Instead of swallowing their pride and admitting their experiment failed, they take cheap shots at the person that brought it public even though it was done for no monetary gain, only as a challenge and to prove Bodog was wrong.
 
It took them two days to come up with this spin and damage control:rolleyes:?

On something as serious as a weak privacy element?

"The talents of the online poker community have been enormously helpful in testing the new software we have released. Obviously, any release has its teething problems and equally obviously we take any fault very seriously & we have released an update we are confident have addressed the most pressing issues.

"The input of poker players and software professionals since our launch has helped us make our system more robust and highlight how strong the poker community is."

Attacking Boddy could be described as a bit of Ayre bluster, and therefore not untypical, I think.

But on the positive side they have certainly got the message about the privacy flaw in their software...and that not everyone is over the moon about their new policy.
 
I have just read that everyone who used to be prevented from sitting together at a table (due to being caught for colluding in the past), can now sit together again - how bad is that!?!!
 
I have just read that everyone who used to be prevented from sitting together at a table (due to being caught for colluding in the past), can now sit together again - how bad is that!?!!

hm mm is there a link to that story about cheaters and coulers why dident they just ban them ??
 
As I understand it, Bodog had restricted players from playing at the same tables in the old software that had ever signed in from the same IP address, shared home addresses, shared computers, payment methods, soft played each other etc. These are common restrictions that online poker rooms have to prevent collusion. These restrictions were not carried over to the new software nor are new restrictions created in the new software it would appear from reading player's reports.

I have no first hand knowledge, this is something that is being discussed in other poker forums though.
 
*dusts off the old CM account*

Thanks for posting this, Pokeraddict.

I'm the man behind these videos, and Pokeraddict has summed it up pretty well.

If anyone has specific questions, I can answer them for you.

well do you think bodog had another agenda other than making a level playing field for recreational poker payers by ridding the site from professional grinders aided with program software they dont want on there site
 
well do you think bodog had another agenda other than making a level playing field for recreational poker payers by ridding the site from professional grinders aided with program software they dont want on there site

I can't say for sure, but ridding the poker economy of the largest winners is a great way to achieve more parity, and thus more rake generated. I can't guess at their intentions, but the facts do speak for themselves.
 
I can't say for sure, but ridding the poker economy of the largest winners is a great way to achieve more parity, and thus more rake generated. I can't guess at their intentions, but the facts do speak for themselves.

i agree with what you say here makes good business sence , im hopeing that this is a well intentioned thing that just had a bug in it as far as the hacking ability of others
 
For at least the past year operators have been discussing the business advantages of more "fish-friendly" operating policies, and I think that must be an element in the thinking here, too.
 
*dusts off the old CM account*

Thanks for posting this, Pokeraddict.

I'm the man behind these videos, and Pokeraddict has summed it up pretty well.

If anyone has specific questions, I can answer them for you.

First of all well done for finding the flaw in bodogs new software

Secondly I'd just like to say I basically agree with all pokeraddict has said and I think bodog are being shown up here......however a serious question

Are you, as Calvin ayre claimed on his blog, the chief marketing officer for hhsmithy.com?
 
I think the question of motivation (ie is this guy the CMO of the exposing company) is largely moot; the fact of the matter is that the flaw has been exposed which is a positive outcome seeing as Bodog has been forced to address the issue...and hopefully will continue to do so.

The status of Kyle Boddy - who has not concealed his identity - is a distraction being exploited by Bodog's "shoot the messenger" diversionary tactic, surely?

AFAIC I don't have a problem with HHSmithy getting some cheap publicity on the back of the expose...that's happened before in this industry just this year in the Absolute Poker security scare. If I remember correctly that company - for all its bad history - actually embraced the discovery of a flaw and worked with the independent who had found it to engineer a fix.
 
It's not motivation I am questioning, and I am impressed with his work however.

These hand history sites are viewed badly by almost all players from recreational who know about them up to full time pros. The sites all explicitly dissallow them. Note that collecting hands on your opponents by playing against them is fine. However these sites data mining my hands when not playing v me, displaying my results and stats for all to see and offering my opponents the chance to buy hands on me to get an edge is extremely immoral IMO. Everybody wants to see them shut down that I speak to, although anonymous tables is not the way to do it.

My point is as impressed as I was by his hack if this guy is heavily involved in these sites he is ethically and morally far worse than bodog and frankly he can bugger off as far as I'm concerned (if that is the case ofc I am wanting clarification here)
 

Users who are viewing this thread

Meister Ratings

Back
Top