Last week, PokerTableRatings.com (PTR) exposed that the Cake Poker Network was vulnerable to a skilled hacker through exploitation of their software. The flaw, which at the minimum could expose a player’s hole cards, posed a greater security risk if taken to its fullest extent. A skillful computer user could, in fact, gain access to a player’s account, which could potentially lead to cash being stripped.
In an article on PTR written by “dameon,” the security breach was compared to a similar issue that affected the CEREUS Network, although with some differences. In the Cake Network and CEREUS issues, “dameon” explained that the industry standard SSL encryption for data transfers between the network and players was not being used. Instead, a much weaker XOR-based encryption was used on the Cake Poker Network, putting players at risk, especially those who play through a wireless router that can be accessed (if a password isn’t in place).
PTR points out that their tests were done on the two most popular members of the Cake Poker Network, the eponymous site and DoylesRoom, but that it was believed to cover all of the rooms that are members. The family of sites includes Gutshot.com, OnlyPoker, and Phil Laak’s room Unabomber Poker.
PTR indicates that there were different levels of vulnerability, ranging from a wired home connection (low risk) to an unsecured home wireless network (moderate) to a public unsecured wireless connection (severe). PTR is also quick to confirm that, although they were able to exploit the vulnerability, no one on the network has been a victim and no accounts have been affected through the loss of funds or shenanigans on the virtual felt.
PTR informed Cake Poker of the vulnerabilities, with the company responding to the potential threat in an e-mail. Lee Jones, the Card Room Manager of Cake Poker, stated in an e-mail sent out over the weekend, “We are totally committed to closing this hole in our server-client communication security and it will be our top priority until it’s done. We’ve got everybody who can possibly help on this and will get the development and testing jobs completed as soon as humanly possible.”
Jones goes on to offer his own suggestions for those playing on the Cake Poker Network, including not playing on unsecured wireless networks. “The most secure thing you can do is play on a wired network,” Lee noted in the e-mail, but he also pointed out the difficulties of maintaining complete security in an ever-changing online world. “No system is 100% secure and each person must weigh the relative convenience of access (e.g. free WiFi at a coffee shop) against the potential security risks.”
Jones noted that the security of the Cake Poker Network has been upped through a strengthened encryption, with more enhancements to come: “In short, we are adding an SSL layer to secure all communication between our servers and the client software.” This change should be in effect as an update for players who log onto the Cake Poker Network.