Luigi Auriemma and Donato Ferrante of Malta-based ReVuln have found that the skins that players use in their gaming activity offer a rare insecure link out to the internet – and waiting criminals – when they’re updated. A “skin” is another word for the look and feel that a player chooses for his or her user experience – essentially, the client interface.
Auriemma and Ferrante found that in online poker especially the skins often lack basic connection protections like SSL encryption or digital signatures when they download updates, offering an open line to hackers looking to take control of users’ computers. And, they found that even some connections that are digitally signed didn’t prove to be effective.
“Software updates are very important for this kind of software,” Auriemma and Ferrante noted. “All poker software must adhere to certain standards, and include an auto-update feature which is the first action performed by the software launcher. This mechanism can be used by attackers to inject malicious updates on the player’s system, while the software is performing the update operation. For example, this can be achieved with insecure public connections, compromised connections or malware.”
Maltese gaming management company B3W skins in particular were found to be auto-updating over the open internet, and the files weren’t being verified before they were executed, offering a simple vehicle into a user’s computer.
A secondary issue is the fact that the clients offer auto-login by way of stored passwords and user names, meaning that hackers could in theory gain access to the registry key or configuration file through an insecure skins connection, and then from there steal and decrypt users’ passwords.
It’s not all bad news though: ReVuln noted that some companies, like PokerStars, have adopted RSA tokens and PINs to increase the security of the authentication mechanism for their client software.