Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Infosec bod wagers web bookie BetVictor is lax on password protection

Thought your gambling site was secure? Don't bet on it

Updated Gambling site BetVictor has been caught leaving what appears to be the administrator credentials for its website out on the public internet.

Security researcher Chris Hogben today said the Gibraltar-based betting site had left help articles online that included usernames and passwords for its internal systems. His secret for pulling up the data: searching for the term "admin".

Screenshot of BetVictor credentials left online

Back of the net...work.

Hogben said that by entering the word into BetVictor's own site search and combing through help articles, he was able to pull up 19 username and password combinations for 22 different URLs on the site.

"I think that’s the digital equivalent of leaving the key under the mat," he said of the gaffe.

"Information about BetVictor’s back-end systems and portals – usernames, passwords, URLs  –  is there, just a few clicks away, right on the homepage."

Hogben said he did not try to use the credentials, so he can't be sure they work or what data they would allow an attacker to see. He does, however, believe the accounts are used for support, identity verification, and trading.

Shutterstock molten chocolate

Busted Russian casino hackers had an appetite for drugs and chocolate

READ MORE

Hogben reckoned this is only the tip of the galling security lapse iceberg for the Liverpool-connected bookies, who now will never walk unpwned.

"It should also be noted that this was just one document located within the BetVictor knowledge base," Hogben noted. "With more extensive searching, further documents may have been discovered containing even more confidential data."

If BetVictor is aware of the issue, they're not talking about it. Hogben said that while it appears the sensitive login info has been scrubbed from the site, he was unable to get verification from the company that the problem has been plugged up. BetVictor did not return a Reg request for comment on the matter. ®

Updated to add

BetVictor eventually got back to The Reg, saying they removed access to the login info soon after Hogben reported the issue.

We asked BetVictor if it could say whether it was dummy or test data rather than real login information. BetVictor offered the following.

"We cannot answer specific questions regarding the data that was available yesterday [Tuesday] through our help centre because we are still investigating exactly what happened with our third-party provider.

"What we can say is that the information was from an internal help section that was available for our Customer Service Teams in 2015.

"As soon as we became aware of the problem we disabled the Help Centre and prevented external access to any systems that had not expired.

"We regret what happened and are working with our supplier to prevent it happening again which is why we currently have no help centre available."

BetVictor declined to elaborate further, citing an ongoing investigation.

"We are conducting intensive investigations to ascertain exactly what happened and what the implications are, until such time as this is completed will not be able to answer any questions around this issue," it said.

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like