Cereus Still Hasn't Properly Fixed Its Security Issue

Published on May 15th, 2010 7:24 am EST
The King is sipping on a beverage and watching the Cereus logo sink --The strange dance between PokerTableRatings.com and the Cereus poker network continues.

On May 6th, 2010, PokerTableRatings.com published an article titled "PTR Security Advisory: Cereus Poker Network uses weak encryption".

In the article, PTR revealed that the Cereus poker network used a weak method of encryption for all of their network transmissions, "instead of the industry standard SSL".

PTR went on to reveal that:

"In our lab we are able to intercept and decode the user’s login name (e-mail address), and receive an MD5 hash of their password, as well as their seat number and hole cards. Once the MD5 password hash has been intercepted, we’ve been able to log in using the intercepted login name by overwriting the outgoing login packet with the intercepted MD5 hash – thus logging in the victim’s poker account without their knowledge, remotely.

We’ve also been able to remotely display all seat numbers and hole cards on a compromised network."

PTR listed the situation as "critical" (no kidding), leading Cereus to inform PTR that they were "working towards a solution".

If you want a complete breakdown of the security issue, I suggest that you hit this page on Pokertableratings.com, as they explain the problem far better than I ever could.

The same day, executive Paul Leggett revealed in a blog posting on blog.ultimatebet.com that PTR was "able to crack our local encryption method" and that he was "very embarrassed and upset that this issue was not caught by our internal staff or through the countless audits we've been through this year and last year." Leggett said that the "issue" would be resolved "within a matter of hours."

Now, for some reason, Leggett and the rest of the higher-ups at the Cereus poker network decided that it wasn't necessary to halt all play on the network while the problem was being addressed. It seems to me allowing play to continue on the network BEFORE the fix has been implemented and AFTER the vulnerability has been made public is incredibly stupid, but whatever.

The next day (May 7th, 2010), PTR revealed that they were asked by Cereus to "participate in auditing and testing the new forms of encryption", and that PTR agreed to this request.

In addition, Cereus released a new version of their software on May 7th that was to "address the issue".

Fast forward to May 14th, 2010.

PTR released an article titled "Cereus Patch adds SSL, Update: NOT SECURE!".

In this article, PTR revealed that Cereus has "updated to include SSL support", but that "the update seems to use OpenSSL ONLY for player actions such as hole cards, bets, etc - we have already been able to hijack a test poker account using the exact same methods." PTR provided multiple updates to the article - in the most recent update, PTR revealed that Cereus had contacted the site and revealed that "our developers are working on resolving this issue and will follow up with a second update later today that will fix this."

Paul Leggett acknowledged this latest blunder in another blog posting, and revealed that "we expect to have it fixed before the end of the day."

That's the last I've heard from either side (PTR or UB).
--

As some other sites have pointed out, Cereus has seen its traffic dip since news of this vulnerability first surfaced. Pokerscout.com has a six month graph of the traffic trend at Cereus that you can see here.

--

Given the fact that Absolute Poker and Ultimatebet were both rocked by "superuser" scandals, you would think that the Cereus poker network would have top-notch security in place, but this is clearly not the case.

In my opinion, Cereus needs to take the hit and shut down their network until this situation is fully resolved, but it doesn't look like that will happen.


--

Filed Under: Online Poker Rooms

Related Articles

Gaming content intended for mature audiences only

 

BeGambleAware
Please Gamble Responsibly
Bonus Offers

Bet365 Bonus - THEKING

Party Poker - $40 in Tickets

Answers

How Do Casinos Make Money From Poker?

What is a Flush in Poker?

What Happened to Dutch Boyd?

What Was The Longest Heads-Up Match in Poker Tournament History?

What Is The Worst Starting Hand in Texas Hold'em?

Where Can I Play Online Poker With Friends?

Should I Play Cash Games, SNGs or Tournaments?

How Do Poker Rooms Make Money?

What is a "Side Bet"?

How Do People Cheat in Poker?

Who Are The Most Popular Poker Streamers on Twitch.tv?

What Are the Different Types of Deals That You Can Make in Poker Tournaments?

What Happened to Howard Lederer?

What is Pai Gow Poker?

What Happened to Phil Ivey?

Online Poker

Online Poker

Online Poker

Poker Online

Online-Poker

Poker Online

Poker Dictionary

ONCOOP

6-Handed

Bitcoin Poker

Roll Up a Stake

Flights

Blind Defense

Speed Racer Bounty

Nitroll

GG Spring Festival

MICOOP

International

Bet365獎金代碼

Código de Bónus Bet365

Bet365 Bonusz Kod

Bet365 Bonus Kod Polecajacy

Bet365 Angebotscode

Recent Articles

Tom Dwan Signs Sponsorship Deal With ACR Poker

Prop Bet Over: Shaun Deeb Accepts $800,000 Buyout in Body Fat Percentage Bet

Rakeback Wars: GGPoker Responds To Changes To Pokerstars' Rewards Program

12th Season of High Stakes Poker Set To Premier on February 19th

Nominations For 5th Global Poker Awards Announced

888Poker: We Refunded $362,893 To Players Who Lost to Bots or RTA Accounts in 2023

$5 Million Guaranteed Venom PKO Starts on ACR on Thursday

Pokerstars Introducing New Rewards Program; To Include "Select" and "Select+" Tiers

GGPoker's $100 Million Guaranteed Bounty Hunters Series Set To Begin on Sunday

Twitch.tv, Popular Online Poker Streaming Platform, Cuts 35% of Staff

The golden cane with a dollar sign at the top belongs to the Poker King.
Article Archive

Cash Games (275)

Tournament Results (452)

Poker Scandals (66)

Online Poker Rooms (563)

UIGEA (70)

Players in the News (80)

Poker on Television (63)

The World Series of Poker (431)

Poker Legal Issues (136)

Other Poker News (229)

Miscellaneous King Articles (88)

Contact Us

Contact Us