Infosec bod wagers web bookie BetVictor is lax on password protection

Thought your gambling site was secure? Don't bet on it

Updated Gambling site BetVictor has been caught leaving what appears to be the administrator credentials for its website out on the public internet.

Security researcher Chris Hogben today said the Gibraltar-based betting site had left help articles online that included usernames and passwords for its internal systems. His secret for pulling up the data: searching for the term "admin".

Screenshot of BetVictor credentials left online

Back of the net...work.

Hogben said that by entering the word into BetVictor's own site search and combing through help articles, he was able to pull up 19 username and password combinations for 22 different URLs on the site.

"I think that’s the digital equivalent of leaving the key under the mat," he said of the gaffe.

"Information about BetVictor’s back-end systems and portals – usernames, passwords, URLs  –  is there, just a few clicks away, right on the homepage."

Hogben said he did not try to use the credentials, so he can't be sure they work or what data they would allow an attacker to see. He does, however, believe the accounts are used for support, identity verification, and trading.

Shutterstock molten chocolate

Busted Russian casino hackers had an appetite for drugs and chocolate

READ MORE

Hogben reckoned this is only the tip of the galling security lapse iceberg for the Liverpool-connected bookies, who now will never walk unpwned.

"It should also be noted that this was just one document located within the BetVictor knowledge base," Hogben noted. "With more extensive searching, further documents may have been discovered containing even more confidential data."

If BetVictor is aware of the issue, they're not talking about it. Hogben said that while it appears the sensitive login info has been scrubbed from the site, he was unable to get verification from the company that the problem has been plugged up. BetVictor did not return a Reg request for comment on the matter. ®

Updated to add

BetVictor eventually got back to The Reg, saying they removed access to the login info soon after Hogben reported the issue.

We asked BetVictor if it could say whether it was dummy or test data rather than real login information. BetVictor offered the following.

"We cannot answer specific questions regarding the data that was available yesterday [Tuesday] through our help centre because we are still investigating exactly what happened with our third-party provider.

"What we can say is that the information was from an internal help section that was available for our Customer Service Teams in 2015.

"As soon as we became aware of the problem we disabled the Help Centre and prevented external access to any systems that had not expired.

"We regret what happened and are working with our supplier to prevent it happening again which is why we currently have no help centre available."

BetVictor declined to elaborate further, citing an ongoing investigation.

"We are conducting intensive investigations to ascertain exactly what happened and what the implications are, until such time as this is completed will not be able to answer any questions around this issue," it said.

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019