UPDATE: Yet another scandal involving Lock!

Just added this section to the report:

Encryption? We Don't Need No Stinkin' Encryption!

In June, 2011, a player on the Lock Casino discovered a shockingly disturbing security flaw: His password appeared in plain text in the source code of the java on the page. This also meant that, on the other side (Lock's server) his password was also stored in plain text, meaning it was accessible to any Lock employees that had access to the server!

In addition, it means that your password is also being sent unencrypted over the internet, as well!

The source of the java is listed below. Note that the username and password have been changed to myusername and mypassword for purposes of this post, and the IP has been changed to 0.0.0.0. However, these all appear as the real values when actually logged into the Lock Casino.

var flashvars = {
user : 'myusername',
sPassword : 'mypassword',
token : '',
encrypted : 'false',
forReal : (forMoney) ? 'true' : 'false',
IP : '0.0.0.0',
portBase : '0',
returnURL : '',
casinoName : 'Lock Casino',
errorURL : '',
useLegacySystem: 0,
gameid: gameObj.gameID,
machid: gameObj.machID,
handcount: gameObj.hands,
denom: 25,
showVersion: 'false'
};

This user reported it to Lock Poker back when he discovered it (June 2011), and was told that they will get right on fixing it. But guess what? Ten months later, this major security flaw still exists!

Apparently Lock isn't just unethical, but they are incompetent, as well.

The 2+2 thread about this is here: http://forumserver.twoplustwo.com/29...issue-1178821/