Hacking the World Poker Tour: Inside ClubWPT Gold's Back Office
6 months ago
- #Vulnerability Disclosure
- #Cybersecurity
- #Online Gambling
- Discovery of a vulnerability in ClubWPT Gold's back office application allowing full administrative access.
- Exposure of sensitive data including drivers licenses, passport numbers, IP addresses, and transaction history.
- Vulnerability patched by ClubWPT Gold post-reporting, with confirmation it was never exploited.
- Initial exploration of ClubWPT Gold's infrastructure revealed a suspicious Chinese domain in JavaScript environment variables.
- Identification of multiple ClubWPT Gold services running on subdomains of 'liuxinyi1.cn'.
- Exposure of internal secrets and Alibaba cloud credentials via an accessible '.env' file.
- Successful cloning of the admin panel source code through an exposed '.git' folder.
- Discovery of hardcoded usernames in environment variables leading to a staging back office login.
- Bypass of 2FA in the production environment using a vulnerability found in the staging source code.
- Access to production data including real customer PII, KYC details, and administrative statistics.
- Responsive action from ClubWPT Gold to fix vulnerabilities post-disclosure.