Security hole closed at UB, Absolute Poker
Absolute Poker and UB are the only poker rooms that operate on the CEREUS network, which is the third-largest Internet poker network that accepts U.S. players.
"Our priority is our players, and providing them with a secure online poker environment," Tokwiro Chief Operating Officer Paul Leggett said in a statement. "The implementation of the OpenSSL standard achieves this for our players, and we will continue to conduct rigorous verification tests and submit to third party audits to ensure our entire operation is secure."
The flaw was revealed on May 6 by PTR, a Web site that scrapes hand histories on roughly half a dozen poker networks and allows players to search ring game results to determine if players have a history of winning or losing. The site includes a five-minute video showing how players' hole cards and log-in information could be intercepted on wireless networks.
"Wireless networks are particularly exploitable due to the ease with which they can be compromised without having physical access," the site explained. "Indeed in many cases they won't even need to be compromised because the wireless network is not encrypted."
The security hole caused a PR nightmare for UB, which was rocked by a cheating scandal two years ago when several players had access to "superuser" accounts and could see other the other players' hole cards. Internet poker forum posters immediately linked the two incidents.
"Fool me once shame on you, fool me four or more times shame on me," wrote ezdonkey on the twoplustwo.com forums. "I can't help but wonder why people still play there."
Leggett responded to PTR immediately, saying he expected to have a solution to the problem "in a matter of hours." The next day, on both the Absolute Poker and UB blogs, Leggett stated that the problem had been fixed by "implementing a more advanced multi-layer encryption" and that an OpenSSL solution would be live in a week.
Many players were angry that the sites continued to run games despite the weaknesses in the network's security.
"Can you explain why the site was not shut down last night when you were aware of the problem instead of leaving a security issue to be ignored until this morning?" wrote SusieQue on the UB.com blog.
"We did consider shutting down Cereus temporarily," wrote UBMarketing in response. "However, we knew we could roll out a new solution in a matter of hours and we saw the threat of someone developing a hack to exploit this vulnerability, within that time frame, very unlikely."
While the upgrade made it harder, it did not make it impossible. An upgrade to an OpenSSL solution was made eight days later that closed the security gap for hole cards, but players' login information could still be hijacked using the same methods outlined by PTR. On May 16, OpenSSL security was implemented across the entire site, and PTR acknowledged that "the biggest problems have been addressed."
The security problems certainly haven't done anything to help the network, which currently ranks eighth on PokerScout.com's traffic report. Compared to a similar 11-day stretch a month ago (April 8-18), peak real money traffic on the CEREUS network dropped more than eight percent during the security upgrade (May 6-16), according to PokerScout.com data.
Despite the problems, Leggett says he is doing everything he can to assure players that their accounts are safe with on the CEREUS Network.
"We are communicating openly with PTR, our players, and the rest of the poker community to prove ourselves as a company that is safe to play at, and that we are serious about security," Leggett said in a statement.