PokerTableRatings has just recently made the public aware of a security gap in the Cereus Poker Network software. They have also advised players not to use the software until a solution to the problem is found. PokerTableRatings has found a critical error in the Cereus software which compromises your security. This error occurs in popular and heavily trafficked Cereus poker rooms such as Absolute Poker and UB. This security gap makes it possible for the average hacker to access our user accounts and view the opponents’ hole cards in real time. With over tens of thousands of users per day, the Cereus truly needs to adress this problem as soon as possible.
The main core of the problem stands from Cereus neglecting the use of the foolproof SSL encryption technique and instead deciding to stick with their individually developed software. Cereus has developed their own security software by using XOR instead of SSL, which provides a much weaker shield of protection. In truth, this is not even encryption, only encoding, which can be easily decoded with the help of a Windows or Linux computer and a simple calculator. The easiest point of attack to break into the Cereus Poker Network’s rooms is to identify the victim’s internet connection. If you are using a public wirless connection, a hacked wireless system or even connect via direct cable, you will be easy prey for hackers.
PTR has also provided a demonstration video in which they use cheap hardware and their own wireless network to break into the Cereus Poker Network database to show you how easily it can be done. They were able to log into other players’ poker accounts and see their hole cards in real time.
PokerTableRatings has no real proof that anyone has used this technique to break the Cereus Poker Network. During their tests, the accounts they used were created solely for demonstration reasons.
Cereus, in the meantime, has addressed the situation by releasing a written statement containing the following:
Hi Dameon,
We really truly appreciate the email you have sent us regarding the vulnerability in our encryption. I just became aware of your article 30 minutes ago and I have read your article and watched the video. I think you have done a great thing for the poker community by emailing us and letting the community know about it. Thank you for that.
I would also like to express how seriously we take this issue. I’m expecting to have a solution in place in a matter of hours and I would really like to discuss engaging your company to help us test the solution, if your company provides such services.
I would greatly appreciate it, if you could paste the contents of this email on your website, so your followers are assured that we are aware of the issue and we are working diligently to address it.
I would also like to emphasize to your readers that this issue would require someone to have access to their local network and also have the technical capabilities to crack our encryption in order to gain access to the player data and see the clear text like you did in your demonstration.
Again, I greatly appreciate you notifying us and the poker community and we will investigate this fully and completely and fix the problem immediately.
Regards,
Paul Leggett
COO, Tokwiro Enterprises
Here is the original article about the issue and Cereus’ security response. The related TwoPlusTwo thread can be found here.