A PokerNewsReport review of online poker site SSL security levels has revealed that some are still vulnerable to the Heartbleed Bug and MITM attacks.
On Tuesday, a team of security experts at Google released the news that a major flaw had been detected in OpenSSL software that could expose personal information and passwords to hackers. Nicknamed “Heartbleed”, the bug was described as the biggest security issue ever, and affected Facebook users, people with Yahoo accounts and even the FBI.
Estimated to have affected more than 500,000 secure servers, advice for people to change all their passwords was quickly revised for people to check the security of the sites they were using before changing their passwords to ensure the sites were not still vulnerable to the Heartbleed bug. Being concerned about our own security, PokerNewsReport went through all the online poker sites we have accounts with.
We Don´t Want to Name Names, But …
Using Qualys SSL Lab Test, we checked the security levels of dozens of poker sites – and the cashiers that they use – and found that some had not taken steps (yet) to resolve the security flaws in their software which may have exposed online poker players to the Heartbleed Bug. We are not going to name names because, by the time this article is read, the poker sites in question might have patched their OpenSSL software and we would be doing them an injustice.
However, the OpenSSL test revealed that some sites unaffected by the Heartbleed Bug had other security issues such as obsolete SSL/TLS security protocols or they were vulnerable to “Man-in-the-Middle” (MITM) attacks from hackers. We would advise all online poker players to conduct the same Qualys SSL Lab Test on the poker sites they use to be assured that the sites have adequate security.
So We´ll Name These Names Instead …
In addition to Facebook, Yahoo and the FBI having security issues, Skrill.com and HideMyAss.com – a VPN service used by players in the States to play poker on European poker sites – were also found to be vulnerable to the Heartbleed Bug (the two sites have implemented patches now). Poker players with accounts at either of these domains should change their passwords immediately.
Skrill and HideMyAss account holders should also change the passwords of other online accounts they have if they use the same username and password combination for (say) their Skrill account and an online poker site – even if the online poker site has not been affected by the Heartbleed Bug. This is because if hackers have got hold of a username and password, they might attempt to use it on any other site where an account is held by the player (for example Amazon, eBay or Gmail – none of which were vulnerable to the bug).
Being Protected Now Does Not Mean You Were Protected in the Past
As the news of the security flaw was released last Tuesday, we do not know whether the sites we tested today were vulnerable previously, as they may have updated their security systems since the start of the week. None of the online poker sites have released any information about the security of their systems and whether or not they were vulnerable to the Heartbleed bug in the past. Consequently, our advice to all online poker players is:
Check your online poker site with the Qualys SSL Lab Test. If it comes up clean, change your password. If it does not come up clean, keep off the site until it improves its security.
For more information about the bug check out heartbleed.com.
Make sure to follow PokerNewsReport on Twitter for the latest online poker news.