Cake Network - Warning

Cake Poker Network Security Warning

July 27 2010

Attention Affiliates
If you promote any Cake Network poker rooms - Please warn your players to stop playing there at least until this security issue is corrected!

A new security threat has been reported that affects all clients on the Cake Poker Network.  Apparently, Cake is using an outdated encryption method known as XOR.  This encryption method is so weak that Poker Table Ratings was able to crack it and access player's data in real time.  If any of this sounds familiar, it should.  PTR reported the same issue with UB Poker (Cereus Poker Network) earlier this year.  Cereus updated their encryption to the industry standard SSL within days of PTR's reporting the hole in their security.

From PTR

The Cake poker network uses a weak xor based encryption mechanism for all network transmissions instead of the industry standard SSL. The encryption key is sent in plain text and can be used to dump data from the datastream to the cake client application.

In our lab we are able to intercept and decode the user’s login name (e-mail address), screen name, and password in plain text, as well as their seat number and hole cards. We’ve also been able to remotely display all seat numbers and hole cards on a compromised network.

All proof of concepts have been shown to work over a compromised WPA2 encrypted wireless network as well as unencrypted wireless networks, and physical network access (either through a hub, ARP man in the middle attack, or otherwise).

Cake Network poker rooms affected by this security hole:
Cake Poker
Doyle's Room
RedStar
Intertops
Unabomber Poker
BetaLand
Sports InterAction
Complete List of CPN Poker Rooms

Source: PokerTableRatings.com
Article 1
Article 2