The vulnerability from a security issue at Cake Poker was apparently worse than originally thought, as the possibility of “superuser” accounts during an 18-month period at the online poker site has arisen in the course of a discussion at poker forum 2+2.
The story started in late July, when the website pokertableratings.com discovered a security vulnerability at Cake Poker. A weak form of encryption could allow a hacker to see a player’s password and hole cards, among other information. Last week, Cake Poker implemented SSL encryption that patched any holes in its security, as verified by PTR.
However, questions have been raised in the interim about exactly how secure Cake was before this new encryption system was put into place. Cake Poker and card room manager Lee Jones had been keeping its customers abreast of its progress in fixing the security issue in a feedback thread. During that thread, questions arose about ow long Cake had been vulnerable, and the possibility of “superusers” who could see all players’ hole cards and use that information to play winning poker. (A superuser scandal surfaced several years ago on the Cereus network (UB.com and Absolute Poker), in which it was proven that there were superuser accounts that could see all other players’ cards.)
From that feedback thread, a new thread was started at 2+2 to discuss the security issue and the possibility of superusers at Cake. Here’s the crux of the issues being talked about in the thread, from the original poster:
There has been no real encryption for a period Lee does not want to disclose.
As a result of this lack of encryption, anyone with access to a connection from a user to Cake could tap into that connection and read all card data.
The Cake programmers, who, according to Lee himself, lied to him about the encryption when Lee asked them about it, have access to the network the servers are on.
Therefore, the Cake programmers could have superusered.
Cake does not allow datamining, does allow name changes, making it pretty much impossible for the community to check for superusers ourselves.
While Cake had been very forthcoming in talking about its original security problems, there apparently had been some stonewalling as the discussion moved into the realm of superuser possibilities. After some back and forth, Jones finally issued a lengthy statement addressing the issue. You can read his entire post here, and here are some of the highlights:
–The encryption at Cake was weak for a period of about 18 months, until it was fixed last week. Here’s Jones, with some technical jargon about encryption:
Approximately 18 months ago, the TwoFish code stopped working because of a change in an unrelated part of the client. One of our programmers, under a schedule crunch, replaced the TwoFish implementation with the XOR encoding. Obviously, that was a bad idea. There was some technical discussion about this change, but unfortunately we didn’t go back and redeploy the TwoFish (or an SSL) encryption in the code. Equally badly, nobody thought to update the website to reflect the fact that the TwoFish implementation had been removed. That was a classic lack of communication between the technical people and the people who maintain the website. Again, no excuses; we dropped the ball.
–Audits are being done to try to determine if anyone was able to exploit the security vulnerability to profit. Jones again:
While we believe that nobody has lost any money to an exploitation of this vulnerability, we are taking no chances. We are doing a full audit of the top winners since July 26th (when the vulnerability was first reported) and also the largest pots that were played. Once we have completed that audit, we are going to expand the search and investigate back to the time that the TwoFish implementation was removed. Again, I don’t believe we’re going to find any player losses, but we have a responsibility to do the audit. Serge Ravitch (adanthar) is heading up that audit. You may recall that he’s one of the people who uncovered the PotRipper problem; he’s an expert at these things.
Right now, Cake is focusing its audits on the period of time from when PTR announced the security vulnerability to when it was finally fixed last week. Of course, many wonder why Cake was operational at all during this period off vulnerability, although Jones contends the risk to Cake clients was minimal. After that audit is done, a larger audit for the full 18 months will be done to look for patterns that would be in line with a superuser account.
We will keep you updated on this story as events warrant.
Get your daily dose of poker news with the PTP Hit and Run.
Get your daily dose of poker news with the PTP Hit and Run.
| Top offers from rooms that offer rakeback/VIP | |||||
| Room | Rakeback % | ||||
 |
Carbon Poker Up To 60% Cash back VIP |
60% VIP |  |
||
 |
True Poker Rake Race + Rakeback |
27% |
|
||
 |
NoIQ Poker Up To €500 Bonus + VIP |
35%+VIP | |||
 |
High Pulse Poker
Referral Code: PartTime |
50% | |||
| Prop offers pay higher rakeback than major rooms | |||||
| Room | Rakeback % | ||||
|
Online Poker Propping Exclusive Propping Offers
|
125% |
|
||
| Don't want to deposit? Try free bankrolls. | |||||
| Room | Bankroll | ||||
 |
Lock Poker
Merge Network, $50 deposit |
$175 | |||
 |
Titan Poker
Major room, easy qualify |
$150 | |||
 |
Sky Poker Good for MTT / SNGs Only |
£10 | |||
over $15,000,000 staked so far. sign up today and get in on the action; membership is free.
Online since 2004, PartTimePoker brings together a unique combination of the largest staking community online, top-paying rakeback and prop offers and a variety of poker-related content including poker news, strategy articles and free poker training videos from CardRunners.
PartTimePoker also works to bring our members exclusive offers from our partners, including free CardRunners memberships, free copies of Holdem Manager and no deposit bonus offers.
Some examples of the more popular content on our site include our PTP Daily Hit N Run, our weekly High Stakes Poker Report, our comprehensive list of poker training site reviews and our CardRunners review.
PartTimePoker is also well-known for our large poker forums, where over 30,000 members discuss staking, strategy, poker news, culture, and just about everything else you can imagine. Registering for our forums is free.
PTP offers several rakeback and free bankroll offers for our viewers. If you're not familiar with rakeback, read our guide to online poker rakeback. To learn how much you could be earning with rakeback, check out our rakeback calculator. If you're ready to get started, our most popular rakeback offers are Full Tilt Rake Back, Cake Poker Rake Back and Carbon Poker RakeBack.
Free and no deposit bankrolls (also called free poker money) are essentially promotional deals we've arranged with rooms where they give you a small amount of money (usually $10-$150) to try out their room. These offers are a great way to get your feet wet at a room without going through the hassle of depositing, and provide players nervous about depositing at an online gambling site with a risk-free way to play poker, bingo, and other games online. View our current free poker bankroll no deposit offers.
