BetVictor Leaked a Password List for Its Internal System on the Betting Platform
The FIFA World Cup is in full swing at the moment which means that soccer (or football) fans are being treated to 96 hours of the beautiful game in the span of just over a month. That's 64 games in 32 days, and the fans aren't the only ones getting excited. Bookmakers are also rubbing hands, expecting record-breaking revenues and profits. For the people running BetVictor, an online betting platform headquartered in Gibraltar, however, things are a little bit different because it was discovered that up until not that long ago, their website was leaving quite a lot of extremely sensitive information completely exposed.
Table of Contents
A silly mistake shows how BetVictor’s customer service agents are trained
The data was found by security researcher Chris Hogben who was visiting BetVictor's website in the same way a regular user would. In his blog post, Hogben said that he was having some problems with the platform and was trying to resolve them. He found the knowledge base section and set about using the search box to find the answers to his questions.
He ended up looking at things he wasn't supposed to be looking at. It was an article that told customer service agents how to handle various queries coming from clients. The screenshot Hogben posted shows some tricks designed to calm BetVictor's unhappy users in the hope that they'll abandon their ideas of canceling a particular service.
It's safe to assume that similar documents are a part of the customer service agents training at many companies, but they tend to be shared only among staff. Someone at BetVictor (unintentionally or not) left them exposed which is embarrassing. The online bookie's second security blunder isn't embarrassing, though. It's dangerous.
The big problems
Hogben was intrigued by the public nature of the customer service training docs, and he was wondering what else the search box could reveal. He typed in "admin" and saw some worryingly relevant results.
There was a document which, despite its "Internal" label, was visible to anyone who knew what to search for. It contained a total of 27 URLs linking to BetVictor's internal ticketing and trading systems, as well as an entry for the Experian identity verification service. It also contained 19 username and password combinations, some of which were apparently to be used at the aforementioned URLs.
Chris Hogben tried the 27 URLs and discovered that 22 of them could be visited from anywhere in the world.
An example of shocking password management
Hogben didn't test the login credentials because that would've been illegal. Having discovered them in a public place, however, there was nothing to stop him from analyzing them.
5 of the passwords were identical or nearly identical to the username they came with, and 11 of them were available in Troy Hunt's Pwned Passwords database. It would appear that the person responsible for managing those passwords made some pretty basic mistakes. Hardly ideal when you consider the fact that they're working for a betting platform used by over half a million people.
And while we're on the subject of things that are not perfect, BetVictor's handling of the problem left a lot to be desired as well.
We still don’t know how big the incident could have been
The communication between Chris Hogben and BetVictor shows that the company's representatives weren't very talkative. Asked by the media, they did say that the internal documents, which were part of a customer service help section, have been removed. They also said that an investigation is ongoing.
What they didn't say is whether any user information could be stolen from the internal systems that were left out in the open. We're pretty sure that the people responsible for enforcing EU's new GDPR regulations would be happy to hear that as well.
BetVictor got lucky
There's no evidence of someone with bad intentions getting their hands on the login credentials and internal URLs and using them to actually do damage, so it's safe to say that the people at BetVictor can breathe a sigh of relief. Users, however, can't do that.
The whole fiasco shows how sloppy some companies are when it comes to handling sensitive information.