Cake Poker Network uses weak encryption, poor security practices.
| Release Date | 2010-07-26 | |
| Last Update | 2010-08-04 | |
| Severity | Critical | |
| Impact | Exposure of sensitive information | |
| Where | Network access required | |
| Solution Status | None | |
| Poker Sites | Cake Poker, Cake Poker (beta), Doyle’s Room, RedStarPoker.com, Unabomber Poker, Intertops Poker, Sports Interaction | |
Description:
The Cake poker network uses a weak xor based encryption mechanism for all network transmissions instead of the industry standard SSL. The encryption key is sent in plain text and can be used to dump data from the datastream to the cake client application.
In our lab we are able to intercept and decode the user’s login name (e-mail address), screen name, and password in plain text, as well as their seat number and hole cards. We’ve also been able to remotely display all seat numbers and hole cards on a compromised network.
All proof of concepts have been shown to work over a compromised WPA2 encrypted wireless network as well as unencrypted wireless networks, and physical network access (either through a hub, ARP man in the middle attack, or otherwise).
Solution
Vendor has been notified of the vulnerability and advised to upgrade their software to use the free open source OpenSSL library. No solution available from Cake as of yet.
User Recommendations
PTR recommends that you discontinue using the Cake network until this issue is addressed.
If you continue to play on Cake PTR recommends that you physically plug into your modem and bypass any switch, router, wireless network or other network device. We do not recommend playing on any unknown network connections.
Update 2010-08-04: Cake poker version 1.0 client has added SSL support. Beta client has not added SSL support, nor have most/all of the skins. Please check for ssleay32.dll in the installation directory of your skin to see if it is safe to play on.




K
5
Wow that’s big, glad I’m not part of their community. They have to fix this, good work PTR!
no wonder they dont like hh, datamining, hm, ptr etc
Ok, what site is next? :D
hopefully one day the ‘curse of withdrawal’ theory will be proven somehow too and all the population will say “i knew it”
are there any legit sites anymore? wtf? i try not to but into the theory that all online poker is rigged, but how many more sites will be exposed. whats next all ftp pros have the ability to see the flop turn and river cards when they play? lol
can tableratings do a poker is or isn’t rigged article with some graphs and charts “proving it” please! How bout show the ai ev of 40+ vpip players on stars.
also i hope you guys arnt paid by stars or ftp