Breaking Vegas Online

We recently published an advisory for PartyPoker, an online gambling site (SECOBJADV-2008-03.) It was for a weakness in the client update process, a class of vulnerability that can affect various kinds of software. The past few years have seen some vulnerabilities that are specific to online gaming software. Statically seeded random number generators that allow prediction of forthcoming cards and reel values on upcoming slot spins were researched in the early days of online gaming–let’s take a look at some additional threats.

Usually, forms of online cheating are pretty primitive. Justin Bonomo was exposed for using multiple accounts in a single tournament on PokerStars and of course collusion between multiple players occurs as well. Absolute Poker’s reputation took a pretty big hit when players discovered that a site owner used a backdoor to view cards in play. Many private and public bots are also in use. However, a good human poker player will beat a bot, especially in no-limit which is less mathematical than other variations of the game; bots are likely to be most useful in low-stakes fixed-limit games.

Earlier this year, a logic flaw was exploited on BetFair (oh, the pun!) because of a missing conditional check to test for chip stack equality when determining finishing positions. As a result, if multiple players with the same amount of chips were eliminated at the same time, they would all receive the payout for the highest position, instead of decrementing positions. For example, if there were three players that all had chip stacks of the same size and everyone went all-in, the winner of the hand would finish in first place and the other two players would both receive second place money. Interesting!

1 Comment »

  1. seancomeau said

    Another problem that tends to crop up in gaming system is rounding errors in initial game state setup.

    Usually the deck or wheel is initialized from a static value. A card or wheel position is selected by obtaining the modulus of the total cards in the deck or possible positions in the wheel and a random number. (usually large, provided by well tested libraries) The result is used as an offset into the initial, static, game object. The problem occurs when the random number is not divisible evenly, resulting in a bias in favor of cards or wheel positions near the beginning.

    An entire industry exists to search gaming systems for these types of problems. I think you have demonstrated it’s not very thorough. Perhaps some of these companies could benefit from our tools!

    What’s interesting about online gaming is that so much money is spent having third parties audit software for fairness when it can be handled on the client side so easily. Consider a poker game:

    Instead of having the server generate all the random numbers; it could allow the clients to each submit some random values which would be combined with the server generated random value. The server would immediately return hashes of all participants random values (individually) to every player. The server uses the values (eg. a hash of them all concatinated, so as to return a fixed sized integer) to initialize the game state. After the hand is completed the server notifies all participants of the actual random values used to set the game state. Each client could check the fairness of the deal by hashing the values and comparing them to what the server claimed to use. Fairness is ensured because entropy is contributed by all players, all players are given proof before the game begins, and all players are given proof that the deck was not stacked after the game is over.

    Another variation could have the server encrypt the random value before the game, distribute it to all players, and then send all players the decryption key after the game is completed.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: