Online sweepstakes Poker site Global Poker has just fixed a security vulnerability whereby customers' personally identifying documents were accessible on the web. Each document was located at a separate URL, and anyone who had the correct address could view it in any web browser.
About the Security Hole
The files in question were hosted through Global Poker's Zendesk support platform. ZenDesk is a vendor of popular software applications that provide interfaces for customer support ticketing, knowledge base searching, and secure document storage among other features.
Each document uploaded within the system is given a unique string, and entering the correct web address, including this identifier, brings up the file in question. There's a setting within ZenDesk to block any document downloads unless whoever is attempting to do so is signed into his or her account. This would effectively prevent unauthorized access because only the legitimate owner of a document (and Global staff members) would be able to view it.
ZenDesk recommends that companies managing sensitive customer attachments through its software turn this feature on. However, Global Poker had not done so, and therefore, the only thing preventing these documents from being seen was the complexity and random nature of the URL strings generated. Indeed, these randomly generated sequences of characters are difficult to guess – except that Global included them as unencrypted plaintext in emails to customers!
About the Documents at Risk
The documents that might have been shared inappropriately are photo IDs, proofs of address (like utility and cell phone bills), and bank statements. In fact, there has been a recent surge in the number of bank statements sent to Global ever since its decision a couple of weeks ago to force customers to use Worldpay bank transfers instead of PayPal for withdrawals. Before being able to cash out their funds, players have to submit their banking details along with proof in the form of a bank statement.
According to the Insurance Information Institute, there were 16.7 million instances of identity fraud in 2017. In total, fraudsters made off with $16.8 billion for an amount stolen per incident of more than $1,000. Exposing private bank account and identity details isn't just a matter of online busybodies snooping into your personal affairs; it can also have severe financial ramifications as well.
How Was the Possible Exploit Discovered?
This entire matter was brought to the attention of the internet by Twoplustwo user “zikzak.” On June 21, 2018, he posted:
This was followed by incredulity from other posters as they found it unbelievable that Global Poker could have such lax security procedures. Several people argued that “zikzak” must have been logged into his account on the Global Poker ZenDesk site, and this was why he was able to view his bank statement. However, other users rapidly confirmed that their own files could be accessed from non-logged in web browsers even on devices that had never before been used to interact with Global Poker.
There's no telling how long Global's customers have been exposed to this vulnerability. Because it seems to have been the result of an oversight when setting up ZenDesk, it has presumably been active from the time Global Poker started using this customer support solution. We've found references to old Global support tickets on ZenDesk dating back to May 2017. Assuming this security failure existed throughout this entire time, this would imply that user security had been compromised for well over a year!
Resolution
About 10 hours after the initial post regarding this issue was made on the Twoplustwo forums, site representative “GlobalPoker_Joey” responded saying that he was looking into the situation. About eight hours later, he posted the following:
We're glad to see that Global Poker addressed the problem by changing the appropriate ZenDesk settings, but we really feel this should have been done a long time ago. We also dislike Joey's implication that any security breaches that might have occurred would have been caused by customer actions rather than being the fault of Global. Our views on this subject are by no means unique to ourselves:
Other Poker Rooms Available
Global Poker allows only players in the United States and Canada to withdraw their winnings, but it has made their confidential information available worldwide. As we alluded to before, it also suddenly changed the payment channel it offered without giving customers any choice as to which payout methods they preferred. A six-month long dispute with a high-stakes regular about a $50,000 withdrawal, questionable handling of overlays in tournaments that were cancelled while running, and a semi-shady sweepstakes model are all reasons to stay away from Global.
If you'd like to find another U.S.A.-friendly online home for card games, be sure to take a look at our guide to online poker for Americans. If you are Canadian, check out our real money Canadian online poker guide instead. If you haven't yet signed up for Global Poker but are thinking of doing so, we urge you to read our Global Poker review first.
