Infosec bod wagers web bookie BetVictor is lax on password protection
Gambling site BetVictor has been caught leaving what appears to be the administrator credentials for its website out on the public internet.
Security researcher Chris Hogben today said the Gibraltar-based betting site had left help articles online that included usernames and passwords for its internal systems. His secret for pulling up the data: searching for the term “admin”.
Back of the net…work.
Hogben said that by entering the word into BetVictor’s own site search and combing through help articles, he was able to pull up 19 username and password combinations for 22 different URLs on the site.
“I think that’s the digital equivalent of leaving the key under the mat,” he said of the gaffe.
“Information about BetVictor’s back-end systems and portals — usernames, passwords, URLs — is there, just a few clicks away, right on the homepage.”
Hogben said he did not try to use the credentials, so he can’t be sure they work or what data they would allow an attacker to see. He does, however, believe the accounts are used for support, identity verification, and trading.
Busted Russian casino hackers had an appetite for drugs and chocolate
Hogben reckoned this is only the tip of the galling security lapse iceberg for the Liverpool-connected bookies, who now will never walk unpwned.
“It should also be noted that this was just one document located within the BetVictor knowledge base,” Hogben noted. “With more extensive searching, further documents may have been discovered containing even more confidential data.”
If BetVictor is aware of the issue, they’re not talking about it. Hogben said that while it appears the sensitive login info has been scrubbed from the site, he was unable to get verification from the company that the problem has been plugged up. BetVictor did not return a Reg request for comment on the matter. ®
Sponsored: Minds Mastering Machines – Call for papers now open
READ MORE HERE