Gambling with your data: Betfair fixes HUGE account reset email vuln
Hidden form field let anyone take control of punters' cash
Betfair has left consumers wide-eyed with worry after gaping holes in its its account recovery system were discovered by users.
The alarm was raised with Betfair after people found that the account reset procedure for users with less than £100 in their account was simply to provide data such as the account name and holder's date of birth, neither of which are particularly hard to find out.
No additional means of authentication would have been required for an attacker to gain access to a user's account.
Betfair's T&C states that its users are "solely responsible for the security and confidentiality of [their] account. In particular, [they] agree to keep their username, password and/or TAN strictly confidential."
However, during registration, users are not offered the option of entering a username. Instead, customers have their email addresses automatically selected as their usernames.
The T&C further states that users "undertake to protect [their] username and password in the same way that [they] would in respect of [their] bank account and any failure to do so shall be at [their] own risk and expense" which seems to suggest that even knowing a Betfair user's email address is one step towards breaking into their account.
This wouldn't be a problem, however, if the new password was generated on the server side and sent to the inbox of the account holder. Betfair, however, allowed those requesting a reset to enter the new password themselves, subsequently awarding them a login cookie too. So all Betfair's system would have done for users whose account was hijacked was send them an email letting them know it had happened.
Except they wouldn't necessarily have even done that. As a reddit user noted, the password reset page contains a hidden form field for the reset email to be sent to which any skilled user could modify, completely bypassing every method through which account holders might be alerted.
Such problems had been raised with Betfair before, but the apparent head-in-sand commitment on display in a mammoth Twitter exchange between reporter Paul Sawers and the Betfair Helpdesk really has to be seen to be believed.
It began, as many Twitter arguments do, with an innocuous question regarding the account recovery system at the internet betting exchange.
@BetfairHelpdesk Is it right that all one needs to change their password is their username and date of birth?— Paul Sawers (@psawers) April 23, 2015
@psawers No, this isn't correct. Go through the 'forgotten password' button below where you enter your username.— Betfair Helpdesk (@BetfairHelpdesk) April 23, 2015
The Helpdesk remained adamant that this was not the case.
The Register contacted Betfair for an explanation of their website security practices. After realising that InfoSec was not a horse, a spokesperson told us that since the above exchange, "We have reviewed and all Betfair accounts now require email authentication and at least one security question, " adding, "Email authentication means you are sent an email to reset password."
The review included pulling the hidden form field for reset emails, which the spokesperson told us was a "subsequent issue [which] has been mitigated as well (this morning)."
Betfair declined to respond to our other questions regarding their standard security procedures and customer management, stating only: "We do not discuss our internal procedures." ®