Eurobet security, just be aware.

lorinda · #1 05-20-2005, 11:59 PM

Firstly I'll start by explaining that I don't play on Eurobet and am a little too lazy to fire off an email today, although my friend in this story will.

I was contacted by a friend to look at Eurobet's new fantasy football (soccer) game with in-play betting and do some of the math. They sent me a link via MSN, so I went to have a look.

Imagine my shock when I found myself in their account with available funds and all manner of personal info at my disposal.

Just something to avoid doing [img]/images/graemlins/wink.gif[/img]

Lori

Eurobet · #2 05-21-2005, 12:26 AM

Oops

AA suited · #3 05-21-2005, 12:55 AM

wait.. your friend sent u a link, and now you have access to his acct?

i dont believe you. forward me that email [img]/images/graemlins/wink.gif[/img]

Losing all · #4 05-21-2005, 12:57 AM

That's some messed up sh!~t! OTOH nothing wrong with some step 5 freerolls [img]/images/graemlins/smirk.gif[/img]

BottlesOf · #5 05-21-2005, 12:57 AM

I find this really disconcerting, and am in a little bit of shock, if true.

lorinda · #6 05-21-2005, 01:00 AM

I swear this is true.

I have no reason to snipe, and anyway, my sniping is always far more blunt when I do it.

I have no idea if it applies to the poker side of things or not and don't really see why it should, but don't direct link people there would be a good plan.

FWIW the link still had https: on it, my friend has never used this computer, and I have never played poker at Eurobet.

I guess if you wanted, you could test it between family members or something.

Lori

Soleo · #7 05-21-2005, 11:18 AM

Probably there was a "session ID" in the link they gave you. It specifies established web-session for someone who is logged in. You just found that Eurobet doesn't check if URL with session ID is now opened from the same IP which has initially log-in. This is not super-hole because session will die very soon because of inactivity or after logging-off but some hacker intercepted the URL with session ID may use it when user is still logged in, like change password, look for personal data, etc.
It's not very easy to intercept URL you requesting being somewhere between you and Eurobet but possible in many cases.
Session should be checked to be maintained to only one computer - that one which logged-in initially. People playing at Eurobet should ask their developers to plug the hole and implement this check.

Luv2DriveTT · #8 05-21-2005, 03:46 PM

[ QUOTE ]
They sent me a link via MSN

[/ QUOTE ]

You mean they sent you a link via MSN Messenger? If so thats very unfortunate that Eurobet doesn't match IP addresses to session IDs. This is web security 101, they should know better.

TT [img]/images/graemlins/club.gif[/img]