In May, the website PokerTableRatings.com (PTR) uncovered a flaw in the security of the Cereus Network’s software.  Earlier this month, the site blew the lid off of a bot ring on PokerStars.  And now, this Monday, PTR released details on yet another security hole, this time on the Cake Poker Network.
The Cake Poker security issue is almost exactly the same as the one that existed on the Cereus Network.  In a nutshell, the communications between the Cake servers and the player’s computer are not secure.  It is possible, and PTR demonstrated this in a video posted on its site, for someone to grab the data going back and forth and view players’ login information (including passwords), as well as hole cards during game play.  The reason for this is that Cake is using an “XOR” based encryption method, rather than the industry standard SSL method.  According to PTR, XOR is very easy to crack and does not take complicated technology to do so.  In PTR’s demonstration, it used a basic laptop that wasn’t even connected to a network – it sniffed data packets out of the air from a cracked wireless test network – running a custom program that was comprised of only about 500 lines of code.  In the demo, the computer used to steal information displayed the test player’s login information within a second of the player logging on and accurately displayed a text readout of the player’s hole cards as soon as they were dealt.
PTR said there are some technical differences between Cake’s issue and that which was found on the Cereus Network, but those aren’t important for this article.  For all intents and purposes, the security flaw is the same.  One aspect of Cake’s problem that has disturbed many, though, is that on its website, it published incorrect information about its security methods:
“All communications between the client program running on your computer and the Cake Poker server in Curacao are encrypted using the accepted industry standard 256-bit TwoFish encryption algorithm. The unique cards dealt to each player are delivered exclusively to that particular player’s computer thus maintaining privacy and integrity of play. Packet-sniffing by other players cannot be used to gain any advantage. Each player’s cards are sent exclusively to that particular player’s computer. None of the other computers know what your hidden cards are, thus preventing an opponent from hacking their client software to determine your cards.”
PTR indicated that while TwoFish is relatively secure, it is not the poker industry standard for encryption.  SSL is the standard.  Plus, as stated previously, Cake has not been using the TwoFish standard.  PTR concluded that someone had to have known that the TwoFish information on the website wasn’t true, as Cake has been working on a new software client, which would require a review of the security so that it could implemented with the new software.
PTR recommended not playing on the Cake Network until the issue is resolved, though if one must, the safest way to play is over a private, wired network.  Players should not login on an unsecured, public network.
Lee Jones, the Card Room manager at Cake Poker, address the problem on the popular Two Plus Two poker forum, stating, in part:
“… we are devoting our top software people to addressing this issue immediately. When it has been resolved, we’ll make a public announcement to that effect.”
Later in the statement, he addressed the TwoFish discrepancy:
“Finally, as regards the statement on our website that we use a twofish encryption algorithm, that is, unfortunately, not correct. We used to use a twofish algorithm implementation but discovered an error in the implementation and were switching to a new algorithm. The current algorithm was a ‘placeholder’ until the new one was rolled into the program. The incorrect statement on the website is our fault and we apologize.”
The TwoFish references have since been removed from Cake Poker’s site, although they still exist on other sites on the network.
In a subsequent update, Jones added:
“Our development team replicated the described scenario and confirmed that a vulnerability exists which can be addressed to strengthen the security of the Cake Poker software. We take this very seriously and have mobilized a team of senior engineers to address the problem. In short, we are adding an SSL layer to secure all communication between our servers and the client software. We’ve got everybody who can possibly help on this and will get the development and testing jobs completed as soon as humanly possible.”
Jones also said that it should be a “relatively easy” fix, but it still may take “days” to get it done.

This site is registered on wpml.org as a development site.