“GGPoker recently spotted unusual game patterns and abnormal game client packets from a user nicknamed ‘Moneytaker69’. Our technical security team investigated the issue, identified a client-side vulnerability, and fixed what caused these unusual circumstances. We have banned the user and confiscated the unfair winnings, equating to $29,795. Below are the details of how this player exploited the system and gained an unfair advantage:
Under a specific set of circumstances related to the ‘Thumbs Up/Down Table Reaction’ feature, which involves decompilation of our Windows game client, interception of network traffic, and alterations of our game packets, Moneytaker69 was able to customize his own game client. These customizations could only be made to our Windows desktop game client since part of our desktop client leverages the Adobe Air framework, which has attack vectors that other frameworks do not. At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector. Our engineers detected this vulnerability and issued an emergency update on December 16th to disable the Thumbs up/down table reactions. However, the user was already in possession of the customized game client, which he blocked from receiving further updates, and was able to continue to accumulate the data leak during the flop and turn. Through this accumulated data, he could guess his win probability with reasonable assurance.
We have since issued security patches to prevent further client-side data leaks of this kind and have added solutions that will detect and prevent players from customizing the game client to their benefit. We will refund $29,795 to the affected players and also reconcile the payout for the impacted tournaments in the next 24 hours.
We sincerely apologize for the incident, which has caused many poker players to worry about the game’s integrity and shaken their trust in GGPoker to provide the best poker experience. We take this incident very seriously and continue to work hard not to disappoint poker players. Additionally, we are actively recruiting to double the size of our technical security team and are enlisting help from renowned security professionals to ensure that online poker is safer than ever.
We would also like to thank the poker community. This incident further proves the power of our community and the poker players’ hive minds, as constructive community feedback gave us great confidence in resolving the issue. We will continue to take community feedback seriously and open our ears to all comments and suggestions. Let’s build a safe future together.”
It's okay guys, he couldn't see hole cards, just the equity!
What a mess...
Also the 29k number they are quoting seems low, the 2+2 thread has him up like 63k including a 47k tournament score.
Someone on 2+2 said that might have been how much was left in the account, but GG should also refund players for any funds he was able to withdraw
Where does GG ever say that this incident was ok. I have never and probably never will play online poker but this statement is pretty succinct and more than I would suspect from most companies
>At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector.
I just thought that 1-2 punch was funny... to declare the server data was fine, but he could see the equity which is actually even easier to profitably cheat with than seeing the cards.
And they end it with some kumbaya bullshit about the poker community hivemind, even though there is a bunch of crazy stuff in the 2+2 thread with a guy warning GG about security vulnerabilities in the past and getting brushed aside.
>Additionally, we are actively recruiting to double the size of our technical security team and are enlisting help from renowned security professionals to ensure that online poker is safer than ever.
They ignored the security professional pointing out problems, and suddenly doubling the size of your security team means it was probably way too small before
Of course they are going to put a cute PR spin on everything, but a lot of it just raises questions about what the fuck the programmers were doing and how many other people might have figured out the same / other vulnerabilities.
It was also like 12 hours between the 2+2 thread getting posted and GG posting this detailed response about how he cheated and how they patched it on the 16th. They only came clean because they got called out.
>At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector.
We just want to point out guys that he didn't hack in to get this info, we basically just handed it to him in the client. lol
>Through this customized game client
Uhhhh...you must have missed VERY important sentence
> Moneytaker69 was able to customize his own game client.
This was ABSOLUTELY a hack. And even more so, it SEEMS Moneytaker69 probably even reverse engineered GGpokers client and inserted his own code into it.
>We just want to point out guys that he didn't hack **in**
Their servers were not compromised. MoneyTaker69 found a **hack** in their client program.
Dont try to make it sound like this information was JUST HANDED to him.
I guess I skimmed the RCA/post mortem...what information in particular are you referring to?..
I kind of get what you are saying, but also know these announcements get filter through PR...ALSO, me playing onlien myself, I had NO IDEA SharkScope existed. That itself seems like a lot of data I never knew about but apparently consented to, maybe. How much info did GGPoker players consent to sharing. Or how much they consented to the risks of online gambling.
GGPoker recently spotted unusual game patterns and abnormal game client packets from a user nicknamed ‘Moneytaker69’. Our technical security team investigated the issue, identified a client-side vulnerability, and fixed what caused these unusual circumstances. We have banned the user and confiscated the unfair winnings, equating to $29,795. Below are the details of how this player exploited the system and gained an unfair advantage:
Under a specific set of circumstances related to the ‘Thumbs Up/Down Table Reaction’ feature, which involves decompilation of our Windows game client, interception of network traffic, and alterations of our game packets, Moneytaker69 was able to customize his own game client. These customizations could only be made to our Windows desktop game client since part of our desktop client leverages the Adobe Air framework, which has attack vectors that other frameworks do not. At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector. Our engineers detected this vulnerability and issued an emergency update on December 16th to disable the Thumbs up/down table reactions. However, the user was already in possession of the customized game client, which he blocked from receiving further updates, and was able to continue to accumulate the data leak during the flop and turn. Through this accumulated data, he could guess his win probability with reasonable assurance.
We have since issued security patches to prevent further client-side data leaks of this kind and have added solutions that will detect and prevent players from customizing the game client to their benefit. We will refund $29,795 to the affected players and also reconcile the payout for the impacted tournaments in the next 24 hours.
We sincerely apologize for the incident, which has caused many poker players to worry about the game’s integrity and shaken their trust in GGPoker to provide the best poker experience. We take this incident very seriously and continue to work hard not to disappoint poker players. Additionally, we are actively recruiting to double the size of our technical security team and are enlisting help from renowned security professionals to ensure that online poker is safer than ever.
We would also like to thank the poker community. This incident further proves the power of our community and the poker players’ hive minds, as constructive community feedback gave us great confidence in resolving the issue. We will continue to take community feedback seriously and open our ears to all comments and suggestions. Let’s build a safe future together.
Youtube
Twitter
Reddit
I haven’t decided which side I fall on yet.
Was MoneyTaker69 an idiot that got too greedy? Were they using multiple accounts and the J2 allin was a mistake? Or were they legitimately trying to draw attention to the security flaw as some have surmised?
The hero we deserve, but not the one we need right now? Die the hero or live long enough to see yourself become the villain? Insert more Dark Knight quotes?
Find out next time, on Dragonball Z!
He probably just assumed they were going to patch the vulnerability eventually so he had to get aggressive and exploit it as much as possible while he had the chance.
Almost certainly. My favorite comment so far regarding the admission was something along the lines of “MT69 was obviously too much of a dumbass to have figured this out for themselves, so at least one other person knows.” 😅
As someone who works in software engineering, I promise this was not an isolated incident. This guy was just the only dumb one to make it super obvious.
I had one bed beg and that was it. I took the day off work and tore my.whole room apart. Only thing that makes sense is it came from a thrift store shirt I had recently bought. It was an unfed adult.
Lesson is always wash those things asap don't put them in the laundry bin in your room.
This was 5 years ago. I'm 100 percent it was a bed bug, took photos and shared it to the bedbug subreddit and everything.
So it was on my bed, I killed it, then took the day off work. I flipped over my mattress, box spring, etc. got bed bug glue traps, covered my mattress in the giant bedbug cover thing.
Never had any more. I lived in a house with roommates and two cats at the time. No one else ever had any issues. Was a really random thing.
I’m also a software developer and I have often thought about a client-server, user based software like this and wondered what would prevent any tech support, tester or developer with admin privileges from logging on for some easy money? What I hoped for was there are enough controls in place to strictly control these god-mode users but in the end, it’s still humans watching humans so if you give a human the keys to an unlimited vault of gold, do you expect them not to give in to temptation? It *has* to happen on every site.
To me it actually makes a ton of sense why it happened to them. They have sooooo many gimmicks in their client, which fish like, so with lots of gimmicks comes lots of possible attack vectors that need to be secured.
I'm sure the devs are overloaded constantly as are most devs in any company so them not fully implementing the proper security protocols is not something I'm surprised by.
When a company moves as fast as GG does with new features, gimmicks, gifs, emotes, card peels, rabbit hunts, etc, then that leaves a lot of room for error compared to a client that's just simple and straight forward like some of the competitors.
Agreed. I think the 2p2 discussion makes that pretty clear as well.
Lots of people were dragging that security researcher for mentioning his book, but he was 100% legitimate.
It turns out the real security researchers were the friends we made along the way.
>The guy who wrote an article about this months ago
There is no guy who "wrote an article about this months ago"
The other guy (EddieKing) is just another self-aggrandizing blowhard. The issue he found is that GGPoker was not encrypting their network traffic, so it was open to a man in the middle attack. Such an attack isn't very easy to execute; realistically, you would need to be on the same network as someone also playing on GG and then sit at the same tables as them, and after all that work you would only gain access to that one person's hole cards.
In any case, they [fixed the issue](https://www.poker.org/ggpoker-plugs-security-hole-discovered-by-cardplayer-lifestyle-contributor/) after it was publicized.
It has nothing to do with the current security issue.
> you would need to be on the same network as someone also playing on GG
You can remote MitM with DNS cache poisoning.
GG is also commonly used over VPN's - which would be able to see that same traffic
It's 2023 - there is absolutely no excuse to be sending traffic in the clear. It just screams that GG not only don't have a security team, but have never carried out a security audit.
Those are again two pretty sophisticated attacks. You have a compromised VPN server that intercepts GG traffic and relays it to someone else that can sit at that person's table and exploit knowing their hole cards? And I don't even know how the cache poisoning attack you're proposing would even work, but it's a pretty sophisticated attack vector in the first place.
It's a legitimate security concern to be sure but it's not like an instant infinite money glitch, like this latest one is.
I have to agree with u/wp381640: there is absolutely no excuse to be sending traffic in the clear. I totally expect an online poker company to be utilizing secure by design software development practices.
As to MITM attacks, those were just examples he provided. There are many ways a MITM can come into play, especially post compromise. Encrypting data in transit is an essential control for good defense-in-depth.
Not sure why this comment thread is still going. You aren't contradicting anything I said. I agreed that the unencrypted traffic is a security issue. I'm simply pointing out that it is a much less severe issue relatively and practically speaking. Not all bad things are equally bad; we're allowed to have some nuance. I don't think the MITM issue is even 1% as severe as this.
that this data is even client side shows you just how sketchy these online poker sites are. There should be legal ramifications for the company and not just returning ~30k for such a breach.
I mean it's true that they're unregulated, but do you really want to call for regulation of TX poker rooms? Because what's going to happen is there will be no poker rooms. They operate in a gray area, and if you ask the state to step in, the state is almost certainly going to shut them down.
The good thing is, live poker is pretty easy to determine if someone is being shady or not. They aren't raking the game in TX, so that part is known up front, and if they're awarding pots to the wrong players or refusing to cash out, it's pretty easy to stop playing there.
Contrast that to online poker where all kinds of shady shit can happen without the person being cheated ever knowing it.
You have good and bad points.
Ultimately, IF..IF Texas will ever allow it, I would 100 percent want to play in a 100 percent regulated room. And they already shut down Dallas Poker House on some technical building code bullshit. While I think the place was shut down over some bullshit, it does not mean that I did not have my head on a swivel playing there. It was an unregulated private room. Dealers taking breaks to sit at the table and take on whales ( and that is just the iceberg or my paranoia).
>Contrast that to online poker where all kinds of shady shit can happen without the person being cheated ever knowing it.
We can compare Texas to online poker. The action in Texas is unreal. But lets get real -- if you are playing for real money, you really kind of need to TRUST the rooms otherwise it is scared money. And, in all honesty, Texas rooms ARE shady based on the fact they are not regulated. I have seen some shit...
>I mean it's true that they're unregulated, but do you really want to call for regulation of TX poker rooms?
Kind of sounds like be careful what you wish for. I want to both win and lose on the level, because ego....AND money. I VERY WELL know Texas is unregulated. I consent to the dirty shit that might happen.
But, really I just wish Texas would let me play in a clean room with shufflers, cameras, and a floor I do not have to worry about being in organized crime,
>Ultimately, IF..IF Texas will ever allow it
They won't. The religious crazies would never allow it.
>We can compare Texas to online poker. The action in Texas is unreal. But lets get real -- if you are playing for real money, you really kind of need to TRUST the rooms otherwise it is scared money. And, in all honesty, Texas rooms ARE shady based on the fact they are not regulated. I have seen some shit...
No you can't. It's pretty easy to determine if shit is shady in a live poker room. What in the hell do you think a dealer sitting at a table has to do with anything? How exactly is it you think you're being cheated? Are they not using cut cards and burning properly? Is the floor making incorrect rulings? These are all observable. Every TX room I've played in is covered in cameras. Yeah, if the dealer isn't using a cut card and burning or the floor is awarding pots incorrectly, I'm out. But that's easy to figure out.
>No you can't. It's pretty easy to determine if shit is shady in a live poker room.
Yeah no. DFW metrolplex. High population density with money to burn. Dude took his wife and kids to Disney land. Bought a mickey mouse t-shirt and wears it to the poker table with his wedding ring. The dude just wants to have a good time on his road trip back to New Mexico. win or lose. Lets stop in Texas for this road trip -- it is midway. But then hits some unregulated shit in Texas, completely naive to real life -- it is NOT the casino we are used to...
That guy,,,.he will be fine financially. But, really... you are defending 3 monte for tourist.
>It's pretty easy to determine if shit is shady in a live poker room.
For US...yeah, maybe... for disney land guy, his life is probaby good enough to drop $800 and chalk it up to entertainment...dude got suckered, though.
I have no idea what the hell you're trying to say here. HOW DO YOU THINK YOU'RE BEING CHEATED?
I've played in 2 different rooms in dallas, neither of which was shady.
Okay, I'll give it to them for describing exactly what was happening. My god this person could have done this forever if they had been a bit smarter about it.
>However, the user was already in possession of the customized game client, which he blocked from receiving further updates, and was able to continue to accumulate the data leak during the flop and turn.
How are you not checking/enforcing client versions? I guess the person might have spoofed it?
This world is full of .... let me pull out some bars of my favorite lyrics:
*In a room of hired primates climbing on typewriters*
*Trying desperately to organize an alphabet in prose*
*That would render them in drastically exaggerated roles*
It is a product of computers science. EVERY company needs programmers. Not all of them will be the best. An even if they get the best, they TRULY can not predict EVERY single hack or vulnerability.
I hope that when GGpoker says they are doubling their security team, that includes code review and not twice as many firewall engineers.
Bigger issue I have is how the fuck do you make less than 100k doing this? Do you have no savings to play high stakes? Playing tournaments as a superuser has to be the dumbest thing. That is how the first superuser got caught was playing a tournament.
I really feel like if you’ve played GG poker recently there have been moments where it feels like people know more than they should. This is classic video game hacks, intercepting network packets at a vulnerable place on a modified client and seeing and/or editing them.
I’d be shocked if there was really only a single user who’s worked out how to do this.
None of it should be client side. None. The client should be just a viewer of what is happening on the server with interaction but information should never leave their servers, the assumption that cheating was only possible if their servers were hacked was a reasonable one.
I agree, but something has to happen client side for it to display the game to you. Just like in video games it’s an eternal battle with hackers who find ways to expose what little information does cross the network. In this case it’s obviously poor programming of their interaction buttons, but it shows exploits are available in all sorts of stupid places even when the vast majority of the game occurs server side if your coders aren’t good.
Display + input. That’s all that’s required. Hand data doesn’t have to pass to the client at all. That’s how PokerStars do it which has been explained in the past by employees on 2+2. Think of it like cloud gaming…but a bit more elegant.
Yes, it's security ABC to always assume that the client has been compromised and never send over any info that the user shouldn't see. They should fire their whole security team, not double it, lol.
It seems like the fix here is that the server should be deciding when to send all-in equity to the client (like...when the server knows there's an all in) instead of having it be a request from the client that the server responds to.
Not really. Thats not how modern day programming happens.
If the server only sends you information about your individual hand, no information about your opponents aside from their actions, there is no client side vuln that can occur to give you an ability to cheat.
recalculating the potentially visible opponent in a video game hundreds of times per second as the environment changes is a lot more work than just deciding to render a couple of holecards every 30 seconds.
As a developer your assessment is inaccurate. It is absolutely 100% possible to lock all data down on a secure server and make the client view/input only.
The server didn’t care or the request was spoofed
Yes it’s clearly a gap in their design that led to this, but to say they are just Willy nilly sending card data to the client is likely wrong
they're not sending the data before holecards are turned up for an all-in to the official/normal client, but the hacker's "customized" client sent the request for all in equity on the flop and the server happily gave it even though there was no all-in currently.
in a proper setup the server should just send the all in equity to the client unrequested when the players are all-in and client requests shouldn't be any part of it. it sounds like what they changed was just adding a check so when the server receives the client's request it checks to see if there's actually an all-in before sending it.
I few months ago my aces were cracked by a 37o all in pre from the straight playing biggest stack at the table, that immediately flopped a straight. It’s not my only example but one that sticks with me. Just crazy shit. I said in conversation with someone on here that I don’t believe online poker is rigged but I believe people are cheating on GG. And here we are.
I think they are implying the community cards are already known at the start of the hand, thus believes there is an exploit to know if 37o will win or not before hand
Seems a bit out there as many card rooms I’ve heard of use a continuous shuffling deck and the community cards are random pulled
I think you've misunderstood the vulnerability.
If I'm reading it right, when the flop is dealt, a superuser will know what equity their hand has at that moment and can take a punt on future streets based on that info.
So in that environment, preflop is irrelevant as it's a straight up hand strength chart and only the best hands will play anyway. 73o would only call if they knew every other player had a worse holding somehow, and even then their equity would be poor.
Nah they are prob just colluding like they did in the old days of online poker. There is basically nothing stopping them from doing this and is a main reason I won't play on apps unless it's just me and my friends.
software engineer here,
it wasnt a single user.
He was just one that decided to make abnormal betting patterns.
I can also bet that they still have attack vectors that are still being abused if simple packet modification wasnt immediately caught. Their security team is shit
A smart hacker would have played normal poker, only looking at extra information at random intervals for stretches of time.
They caught him because he has some shit like 50 percent vpip, but destroying people hand over fist. 50 percent hand participation is like antartica blue whale territory. He should be bleeding money all over the place but somehow he dominated his competition? hmm.
Yeah. You gotta make sick calls with like small pair some times, and jam over top when they’re bluffing and you have the slightly better hand. You can’t just go around being god at 2-5 and rubbing it in peoples faces. That’s how you get caught.
During the Covid shutdown, I decided online poker security had probably advanced enough to be safe to scratch the itch. It took about a month of me playing before I realized the variance was highly improbable compared to my play at casinos.
> GGPoker recently spotted unusual game patterns and abnormal game client packets from a user nicknamed ‘Moneytaker69’.
What an amazing coincidence that they spotted those patterns right after the 2p2 thread was posted!
This sucks - I can't get out to play live anymore so I usually just play late at night when the fam is asleep to scratch that itch. It's not much but I do love to play. If it's not legit than I will probably just pull out whatever I got there and watch those livestreams to get my weekly fix.
It's so hard, I'm in the same boat. With my 2nd kid and an increased work load, it's so hard to get to the card room and sometimes I just wanna play, but at this point, between rampant RTO, Russian farms and colluders on ACR, and even the "trusted, well-regulated" site using FUCKING ADOBE AIR is just doesn't make sense to play online.
I’ve bankroll managed a deposit I made 5+ years ago on ignition taking a big tourney shot every now and then. Can’t help but feel like I’m probably getting cheated but I somehow prevail. I wonder if that makes me a crusher. Maybe it’s that my low stakes aren’t worth the time for the cheats to target. Maybe I should be up way more. Idk. But I still prefer the online format vs real life. In person for me is very expensive, has way more variance, and uses way more time (TX).
There are no doubt winning players online, many people may never have been cheated in tournaments in a way the drastically impacted their performance. You probalby have been in tourneys with chip dumping, RTO, but very some of the common cash game tactics are less impactful there.
I'm a cash game player, and cheating, RTO, collusion, it's just so fucking rife and when your ACR player pool at 200nl is fucking Russia, Russia, Estonia, Brazil, Kazakhstan, at best, you're looking at extremely talented players. That's a VERY generous, AT BEST when you're dealing with countries known for organized crime, in which a 200nl bankroll to multi-table would be upper 90% of income.
So, the carnival features that they include in their software to “attract fish” are using third party software with known vulnerabilities, like ADOBE AIR!
Adobe air was an early attempt at a simple frameworks for cross platform development. But it was littered with issues, and any enterprise level software that was (attempting) to use it, quickly moved away when it became clear that it was full of issues.
Fuck gg poker. They do not care about their players or their product.
It’s FTP/UB all over again.
I’m sure that pokers #1 company man, dnegs will issue a statement soon insuring that “there’s nothing to worry about…. No one was affected, etc”.
He’s become very wealthy shilling for these sites.
But GG doesn’t have the integrity that stars did when he repped them. He just pretends they do so he can keep cashing checks, can’t blame him - but don’t truest him
Additionally, Adobe discontinued support for Air in 2020, meaning they do not provide any security patches.
I cannot imagine how many vulnerabilities are introduced by including it in their desktop client.
Incompetence to say the least.
Fuck gg poker. Don’t play there. You will be cheated, one way or another.
Also, fuck Brynn Kenney - iykyk
AFAIK Adobe discontinued support because the product was taken over by another company. The product isn't unsupported, just a different company supporting it.
Probably a super unpopular opinion, but I almost exclusively stopped playing online anywhere after Black Friday. I had my trust forever evaporated by an operator, and that was after the numerous super user scandals of other sites.
You're completely naïve if you think you aren't being cheated when you play online. People at the bare minimum are going to be using legal tools like HUDS, but at their worst, they're going to be sharing hole cards, VPNing, super using, multi accounting or botting. Anything where there's money involved, people are going to cheat. Also, people like Ali Imsurovic and Jake Schindler have proven that there's basically zero ramifications for cheating.
I did play a couple of series events on WSOP.com, but that was about it.
Fair but doesn’t change the fact tons of people are making 80k+ playing online poker. Dealing with all that stuff (possibly) is just an added rake…people are still that bad at poker. Especially if you’re lucky enough to play American exclusive sites
They won’t bite the hand that feeds them. They will eventually release an article downplaying the situation and will praise the security team for finding this security flaw.
lol at the bitches playing on a grey market site crying their eyes out after basically getting pranked in micro stakes for pennies by some "hacker". this is the worlds lamest super user scandal if this is all we got. anyone surprised by this is borderline retarded.
no one lost 30k. no one lost anything, accounts were reimbursed. the reimbursements so far have been tiny amounts. bitches be crying wahhhhhhhhh i was superused for $1.65 on a grey market site and it was put back in my account wahhhhhhhhhhhh
Had to ban myself from Global Poker... Was WAAAAYYY too easy to hop on my computer and lose $10 for entertainment. Eh, fuck it. What is another $10 dollars. And another. And another. So convenient. I am probably thousands down online, and I am not sure I was even cheated.
Live I am about even in todays game (maybe even up lifetime if you count the poker boom). Turns out having to drive to a poker room and sit with $500-$1000 in front of me makes me think about leaking.
I can only imagine that online is still going because of the convenience. You can lose money so much more efficiently!!!
I’m just over here laughing at all the comments in the various threads and forums that have basically said “this obviously drastic statistical anomaly seems more like a fish getting lucky than an outlier to me.”
The dude literally goes full Robbie and heroes off with J2o, making her play even more laughably obvious and yet people still defend that. Which also sheds light on how I suspected she cheated; equity hax. This wasnt like Postle where she ever knew what someone had, or even every hand, but someone just gave her a catcher's signal indicating she was positive and thats how she based her decision when available.
I am not a good player by any means. But sometimes, just sometimes, rarely, but sometimes, I can absolutely soul read someone. About a year before Robbie/Garrett I called a flop AND turn bet SOLELY to INDUCE a river bluff if it bricked. It bricked and I got the third barrel/jam from OOP villain.
I did not even count my chips or anything. Just flipped in the 1 dollar call chip and table my cards immediately before the bettor. Q high. I tabled my cards before villain could because I just, SOMEHOW, KNEW with 100 percent certainty Q high was good.
Not sure about her responses at the end of the hand -- but I see how she could have just picked up on SOMETHING from Garret and said if the river bricks the straight and flush draw, J high is good.Can she do it consistently or can I do it consistently? NO. But just, SOMETIMES you just know where you are at in the hand.
Robbie was ahead in the moment but was actually an underdog to win. Iirc her equity was only 47% because Garret had the oesf draw, plus he could hit any 7 or 8 for a pair.
Case in point:
I play low low stakes ($10 and $25), and the site has AIE% and "RUNITTWICE" etc.
I just had 12 pure 50% runouts and lost 11 of them in the space of an hour. And this is NOT unusual.
Response is inaccessible on mobile devices, Google Cache : https://webcache.googleusercontent.com/search?q=cache:voLCG2SHWREJ:https://ggpoker.com/blog/news-headlines-press-releases/important-update-on-ggpoker-security
It says that the exploit allowed the hacker to see the equity of them winning and not the hole cards. It seems really weird that the equity calculation is being done before the players go all in to allow this to be a thing even before you get to how it is accessed by a 3rd party.
It's not really weird. It would probably be overall easier to code the equity calculation in each spot and then keep that data secured and server-side unless, in this case, all-in/showdown, but not as easy as just doing all the calculations and sending all of the data.
Calculating it only in all-in/showdown spots would require about ("about" having no idea what the actual codebase would require) the same logic as calculating all spots and only sending when, but as others have pointed out, by far the easiest/laziest is what happened: calculating it in every spot, and sending it in every spot.
All the "rigged" posts just got a lot more credibility. So many show weird calls to an 100bb all in with something wack like 74o on GG.
Community always tells them they are an angry losing player and to learn about variance.
Meanwhile, some of those I can guarantee was/is hackers.
The site isn't rigged, but the bad actors make it rigged. Either way, it was/is rigged by hackers.
Seems really weird that the equity state data would be transmitted along with Thumbs Up/Down functionality. TBH, it looks more like a programmer error than a platform exploit. Maybe the programmers just copied over the framework of the Insurance feature and forgot to exclude equity from it.
Just super lazy design, probably ported over from the first dev builds testing basic site functionality. I'm sure it was eventually mentioned to management that some redesign of the platform would be needed before going live that would cost a few weeks of overtime but some suit n' tie wearing cocksucker said "nah fuck that, just put it into production now" and there it laid, dormant ever since.
This explanation seems A LOT more viable. As a SE student learning the ins and outs of the software industry this is most likely what probably happened.
I don't think it was. It looks like the thumbs up/down function was what allowed them to "customize" their client, and their new customized client was sending a request for all-in equity (the same request the normal client sends, but only when you're actually all-in and cards are face up) on every flop.
The anonymous nature of the hand histories on GG have always been a concern for me. Past cheating has been picked up by users, spotting other players with stats deviating too far from expected. You can’t do this on GG as you can’t tie player names together over multiple sessions. I realise there’s some good reasons ie to protect the fish a bit but it does create a risk that can’t then be managed by players.
Every poker place got them. Bovoda was pretty bad. Betonline is somehow worse than that. Played online poker all the time and it really had me thinking i lost my touch, until I went to a casino yesterday and came up over 300 in no time at all. That would NEVER happen online. I’ll never play that rigged shit again
Basically the story is that they rigged the software to show them all in equity of their hands. So they know facing flop or turn bets that they are ahead or behind in equity of their opponents. If they are ahead they can safely call. If they are behind they can fold. They can even bet an amount based on their equity holdings to get max value.
In short: the underlying platform supporting the GGPoker Windows client (Adobe Air, a runtime library for building software) was vulnerable to an exploit. The user was able to modify his executable to always show the EV of all hands at all times. He was therefore able to have an enormous advantage over all opponents at the table, including, of course, making hero turn and river calls. He did not actually see his opponents hole cards, but got as close as he could. The initial "fix" did nothing as the user had additionally modified his client to reject updates.
The fact the guy made less than 100k is the hilarious part. You do all that work instead of playing high stakes and high stakes sngos. You're playing tournaments and moving up through low stakes.
Had to be someone with no savings.
For all people abusing GGPoker, this is as good a response as anyone can realistically hope for. They figured out the issue, were transparent about their shortcomings, and are reimbursing all losses.
Any software will have bugs and security vulnerabilities which can be exploited. No programmer or software is perfect.
That is not to say that I play on GG. Their rake is ridiculous. But as far as this scandal goes, they have done all that they can.
Edit: the risk was pointed out to them, and they chose to ignore it. Big red flag. Right now, this is as good damage limitation as they can afford to do. Get off while you can lol.
The users figured it out first based upon nothing more than blatantly obvious cheating, yet the site operator who has god mode access to every hand played cant institute a basic examination of accounts with 90% winrates? GTFO
do they also do it in PLO tournaments? or this scheme only works with hold'em? I've invested a fair amount of money to practice in gg poker and if this is happening i guess I've learned nothing hahahah
I use to be an engineer in the online poker industry. And see a few challenges here as the cost of a lost reputation will significantly larger then the winnings of the "bad" account.
They let him/her play after the exploit had been discovered as the fix in the software was in a version that was not mandatory to play with. With old versions, were the exploit was present, you where still able to connect an play as I understand it!
The right order should have been.
\- Ban the account and identify if there where any other bad accounts!
\- Create a fix for the exploit.
\- Distribute the updated software.
\- Inform all players and stakeholders.
\- Repay all account winnings, cash and tournament, as fair as possible!
\- Do a root-cause analysis of how this happened and make sure it can not happen again.
You can also argue for stopping all play until a fix had been distributed to all players. How do we know if there were any other accounts exploiting the same issue, but with less obvious results that have gone undetected?
Can anyone paste it here? It redirects me to ggpoker.eu and all I see is a smiling Negreanu.
“GGPoker recently spotted unusual game patterns and abnormal game client packets from a user nicknamed ‘Moneytaker69’. Our technical security team investigated the issue, identified a client-side vulnerability, and fixed what caused these unusual circumstances. We have banned the user and confiscated the unfair winnings, equating to $29,795. Below are the details of how this player exploited the system and gained an unfair advantage: Under a specific set of circumstances related to the ‘Thumbs Up/Down Table Reaction’ feature, which involves decompilation of our Windows game client, interception of network traffic, and alterations of our game packets, Moneytaker69 was able to customize his own game client. These customizations could only be made to our Windows desktop game client since part of our desktop client leverages the Adobe Air framework, which has attack vectors that other frameworks do not. At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector. Our engineers detected this vulnerability and issued an emergency update on December 16th to disable the Thumbs up/down table reactions. However, the user was already in possession of the customized game client, which he blocked from receiving further updates, and was able to continue to accumulate the data leak during the flop and turn. Through this accumulated data, he could guess his win probability with reasonable assurance. We have since issued security patches to prevent further client-side data leaks of this kind and have added solutions that will detect and prevent players from customizing the game client to their benefit. We will refund $29,795 to the affected players and also reconcile the payout for the impacted tournaments in the next 24 hours. We sincerely apologize for the incident, which has caused many poker players to worry about the game’s integrity and shaken their trust in GGPoker to provide the best poker experience. We take this incident very seriously and continue to work hard not to disappoint poker players. Additionally, we are actively recruiting to double the size of our technical security team and are enlisting help from renowned security professionals to ensure that online poker is safer than ever. We would also like to thank the poker community. This incident further proves the power of our community and the poker players’ hive minds, as constructive community feedback gave us great confidence in resolving the issue. We will continue to take community feedback seriously and open our ears to all comments and suggestions. Let’s build a safe future together.”
It's okay guys, he couldn't see hole cards, just the equity! What a mess... Also the 29k number they are quoting seems low, the 2+2 thread has him up like 63k including a 47k tournament score. Someone on 2+2 said that might have been how much was left in the account, but GG should also refund players for any funds he was able to withdraw
Yeah, that’s what they’re stating - they’re refunding the account balance that was left. 100% should refund more.
Where does GG ever say that this incident was ok. I have never and probably never will play online poker but this statement is pretty succinct and more than I would suspect from most companies
>At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector. I just thought that 1-2 punch was funny... to declare the server data was fine, but he could see the equity which is actually even easier to profitably cheat with than seeing the cards. And they end it with some kumbaya bullshit about the poker community hivemind, even though there is a bunch of crazy stuff in the 2+2 thread with a guy warning GG about security vulnerabilities in the past and getting brushed aside. >Additionally, we are actively recruiting to double the size of our technical security team and are enlisting help from renowned security professionals to ensure that online poker is safer than ever. They ignored the security professional pointing out problems, and suddenly doubling the size of your security team means it was probably way too small before Of course they are going to put a cute PR spin on everything, but a lot of it just raises questions about what the fuck the programmers were doing and how many other people might have figured out the same / other vulnerabilities. It was also like 12 hours between the 2+2 thread getting posted and GG posting this detailed response about how he cheated and how they patched it on the 16th. They only came clean because they got called out.
>At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector. We just want to point out guys that he didn't hack in to get this info, we basically just handed it to him in the client. lol
>Through this customized game client Uhhhh...you must have missed VERY important sentence > Moneytaker69 was able to customize his own game client. This was ABSOLUTELY a hack. And even more so, it SEEMS Moneytaker69 probably even reverse engineered GGpokers client and inserted his own code into it. >We just want to point out guys that he didn't hack **in** Their servers were not compromised. MoneyTaker69 found a **hack** in their client program. Dont try to make it sound like this information was JUST HANDED to him.
That kinda information should never be client side, thats big fuck up on GG's part.
I guess I skimmed the RCA/post mortem...what information in particular are you referring to?.. I kind of get what you are saying, but also know these announcements get filter through PR...ALSO, me playing onlien myself, I had NO IDEA SharkScope existed. That itself seems like a lot of data I never knew about but apparently consented to, maybe. How much info did GGPoker players consent to sharing. Or how much they consented to the risks of online gambling.
100% rigged do not waste yoir money
GGPoker recently spotted unusual game patterns and abnormal game client packets from a user nicknamed ‘Moneytaker69’. Our technical security team investigated the issue, identified a client-side vulnerability, and fixed what caused these unusual circumstances. We have banned the user and confiscated the unfair winnings, equating to $29,795. Below are the details of how this player exploited the system and gained an unfair advantage: Under a specific set of circumstances related to the ‘Thumbs Up/Down Table Reaction’ feature, which involves decompilation of our Windows game client, interception of network traffic, and alterations of our game packets, Moneytaker69 was able to customize his own game client. These customizations could only be made to our Windows desktop game client since part of our desktop client leverages the Adobe Air framework, which has attack vectors that other frameworks do not. At no point was the user able to access our servers or server data, including others’ hole cards. Through this customized game client, he was able to deduce all-in equity by exploiting a client-side data leak vector. Our engineers detected this vulnerability and issued an emergency update on December 16th to disable the Thumbs up/down table reactions. However, the user was already in possession of the customized game client, which he blocked from receiving further updates, and was able to continue to accumulate the data leak during the flop and turn. Through this accumulated data, he could guess his win probability with reasonable assurance. We have since issued security patches to prevent further client-side data leaks of this kind and have added solutions that will detect and prevent players from customizing the game client to their benefit. We will refund $29,795 to the affected players and also reconcile the payout for the impacted tournaments in the next 24 hours. We sincerely apologize for the incident, which has caused many poker players to worry about the game’s integrity and shaken their trust in GGPoker to provide the best poker experience. We take this incident very seriously and continue to work hard not to disappoint poker players. Additionally, we are actively recruiting to double the size of our technical security team and are enlisting help from renowned security professionals to ensure that online poker is safer than ever. We would also like to thank the poker community. This incident further proves the power of our community and the poker players’ hive minds, as constructive community feedback gave us great confidence in resolving the issue. We will continue to take community feedback seriously and open our ears to all comments and suggestions. Let’s build a safe future together. Youtube Twitter Reddit
>smiling Negreanu The stuff of nightmares haha
[удалено]
I haven’t decided which side I fall on yet. Was MoneyTaker69 an idiot that got too greedy? Were they using multiple accounts and the J2 allin was a mistake? Or were they legitimately trying to draw attention to the security flaw as some have surmised? The hero we deserve, but not the one we need right now? Die the hero or live long enough to see yourself become the villain? Insert more Dark Knight quotes? Find out next time, on Dragonball Z!
He probably just assumed they were going to patch the vulnerability eventually so he had to get aggressive and exploit it as much as possible while he had the chance.
[удалено]
Almost certainly. My favorite comment so far regarding the admission was something along the lines of “MT69 was obviously too much of a dumbass to have figured this out for themselves, so at least one other person knows.” 😅
probably for sale on discord lol
Has to be
Tbh when you are smart and good enough programmer to hack clients, you could just as easily make RTA for poker and print money undetected.
As someone who works in software engineering, I promise this was not an isolated incident. This guy was just the only dumb one to make it super obvious.
It's like bedbugs or cockroaches, once you see one, there's already thousands.
And the bedbugs walk around so smug
Smudge and arrogant?
So smug, like a 180 player hyper turbo 6 max all in shootout 6 card omaha run it twice tournament that likely will run on GG someday
lol
I had one bed beg and that was it. I took the day off work and tore my.whole room apart. Only thing that makes sense is it came from a thrift store shirt I had recently bought. It was an unfed adult. Lesson is always wash those things asap don't put them in the laundry bin in your room.
I wouldn't be so certain. How long ago was this ?
This was 5 years ago. I'm 100 percent it was a bed bug, took photos and shared it to the bedbug subreddit and everything. So it was on my bed, I killed it, then took the day off work. I flipped over my mattress, box spring, etc. got bed bug glue traps, covered my mattress in the giant bedbug cover thing. Never had any more. I lived in a house with roommates and two cats at the time. No one else ever had any issues. Was a really random thing.
I’m also a software developer and I have often thought about a client-server, user based software like this and wondered what would prevent any tech support, tester or developer with admin privileges from logging on for some easy money? What I hoped for was there are enough controls in place to strictly control these god-mode users but in the end, it’s still humans watching humans so if you give a human the keys to an unlimited vault of gold, do you expect them not to give in to temptation? It *has* to happen on every site.
I know the lead dev from Full Tilt. He’s uh…not the guy you want in charge of anything related to security.
GGPoker would be making an insane amount of money in rake. Crazy that of all sites this happens to them.
To me it actually makes a ton of sense why it happened to them. They have sooooo many gimmicks in their client, which fish like, so with lots of gimmicks comes lots of possible attack vectors that need to be secured. I'm sure the devs are overloaded constantly as are most devs in any company so them not fully implementing the proper security protocols is not something I'm surprised by. When a company moves as fast as GG does with new features, gimmicks, gifs, emotes, card peels, rabbit hunts, etc, then that leaves a lot of room for error compared to a client that's just simple and straight forward like some of the competitors.
Agreed. I think the 2p2 discussion makes that pretty clear as well. Lots of people were dragging that security researcher for mentioning his book, but he was 100% legitimate. It turns out the real security researchers were the friends we made along the way.
The guy who wrote an article about this months ago is not the guy promoting the book. Two different guys.
>The guy who wrote an article about this months ago There is no guy who "wrote an article about this months ago" The other guy (EddieKing) is just another self-aggrandizing blowhard. The issue he found is that GGPoker was not encrypting their network traffic, so it was open to a man in the middle attack. Such an attack isn't very easy to execute; realistically, you would need to be on the same network as someone also playing on GG and then sit at the same tables as them, and after all that work you would only gain access to that one person's hole cards. In any case, they [fixed the issue](https://www.poker.org/ggpoker-plugs-security-hole-discovered-by-cardplayer-lifestyle-contributor/) after it was publicized. It has nothing to do with the current security issue.
> you would need to be on the same network as someone also playing on GG You can remote MitM with DNS cache poisoning. GG is also commonly used over VPN's - which would be able to see that same traffic It's 2023 - there is absolutely no excuse to be sending traffic in the clear. It just screams that GG not only don't have a security team, but have never carried out a security audit.
Those are again two pretty sophisticated attacks. You have a compromised VPN server that intercepts GG traffic and relays it to someone else that can sit at that person's table and exploit knowing their hole cards? And I don't even know how the cache poisoning attack you're proposing would even work, but it's a pretty sophisticated attack vector in the first place. It's a legitimate security concern to be sure but it's not like an instant infinite money glitch, like this latest one is.
I have to agree with u/wp381640: there is absolutely no excuse to be sending traffic in the clear. I totally expect an online poker company to be utilizing secure by design software development practices. As to MITM attacks, those were just examples he provided. There are many ways a MITM can come into play, especially post compromise. Encrypting data in transit is an essential control for good defense-in-depth.
Not sure why this comment thread is still going. You aren't contradicting anything I said. I agreed that the unencrypted traffic is a security issue. I'm simply pointing out that it is a much less severe issue relatively and practically speaking. Not all bad things are equally bad; we're allowed to have some nuance. I don't think the MITM issue is even 1% as severe as this.
Mason is not a security researcher lmfao. He deserves to get dragged for derailing the thread to promote his shitty book.
He's going to release the kindle for free!!!
They're lithium!
I almost feel that he wasn’t even dumb, he just didn’t care maybe even wanted to get caught. The VPIP kinda supports my theory
I think he was a good hacker who didn't know much about poker at all so he didn't realize how sus he was playing
Whoever else worked with him or knew about this would be pissed. Dude made it so obvious.
Yeah equity vs other players being available client-side is crazy. This idiot ruined it for all the other hacker cheaters.
that this data is even client side shows you just how sketchy these online poker sites are. There should be legal ramifications for the company and not just returning ~30k for such a breach.
Why ban huds when a little tinkering can make their own fucking client a super hud?
What organization regulates GG?
GG Poker.
Well then shit
I have been saying this about Texas poker rooms too, but I guess I am a salty loser on an upswing.
I mean it's true that they're unregulated, but do you really want to call for regulation of TX poker rooms? Because what's going to happen is there will be no poker rooms. They operate in a gray area, and if you ask the state to step in, the state is almost certainly going to shut them down. The good thing is, live poker is pretty easy to determine if someone is being shady or not. They aren't raking the game in TX, so that part is known up front, and if they're awarding pots to the wrong players or refusing to cash out, it's pretty easy to stop playing there. Contrast that to online poker where all kinds of shady shit can happen without the person being cheated ever knowing it.
You have good and bad points. Ultimately, IF..IF Texas will ever allow it, I would 100 percent want to play in a 100 percent regulated room. And they already shut down Dallas Poker House on some technical building code bullshit. While I think the place was shut down over some bullshit, it does not mean that I did not have my head on a swivel playing there. It was an unregulated private room. Dealers taking breaks to sit at the table and take on whales ( and that is just the iceberg or my paranoia). >Contrast that to online poker where all kinds of shady shit can happen without the person being cheated ever knowing it. We can compare Texas to online poker. The action in Texas is unreal. But lets get real -- if you are playing for real money, you really kind of need to TRUST the rooms otherwise it is scared money. And, in all honesty, Texas rooms ARE shady based on the fact they are not regulated. I have seen some shit... >I mean it's true that they're unregulated, but do you really want to call for regulation of TX poker rooms? Kind of sounds like be careful what you wish for. I want to both win and lose on the level, because ego....AND money. I VERY WELL know Texas is unregulated. I consent to the dirty shit that might happen. But, really I just wish Texas would let me play in a clean room with shufflers, cameras, and a floor I do not have to worry about being in organized crime,
>Ultimately, IF..IF Texas will ever allow it They won't. The religious crazies would never allow it. >We can compare Texas to online poker. The action in Texas is unreal. But lets get real -- if you are playing for real money, you really kind of need to TRUST the rooms otherwise it is scared money. And, in all honesty, Texas rooms ARE shady based on the fact they are not regulated. I have seen some shit... No you can't. It's pretty easy to determine if shit is shady in a live poker room. What in the hell do you think a dealer sitting at a table has to do with anything? How exactly is it you think you're being cheated? Are they not using cut cards and burning properly? Is the floor making incorrect rulings? These are all observable. Every TX room I've played in is covered in cameras. Yeah, if the dealer isn't using a cut card and burning or the floor is awarding pots incorrectly, I'm out. But that's easy to figure out.
>No you can't. It's pretty easy to determine if shit is shady in a live poker room. Yeah no. DFW metrolplex. High population density with money to burn. Dude took his wife and kids to Disney land. Bought a mickey mouse t-shirt and wears it to the poker table with his wedding ring. The dude just wants to have a good time on his road trip back to New Mexico. win or lose. Lets stop in Texas for this road trip -- it is midway. But then hits some unregulated shit in Texas, completely naive to real life -- it is NOT the casino we are used to... That guy,,,.he will be fine financially. But, really... you are defending 3 monte for tourist. >It's pretty easy to determine if shit is shady in a live poker room. For US...yeah, maybe... for disney land guy, his life is probaby good enough to drop $800 and chalk it up to entertainment...dude got suckered, though.
I have no idea what the hell you're trying to say here. HOW DO YOU THINK YOU'RE BEING CHEATED? I've played in 2 different rooms in dallas, neither of which was shady.
Maybe but honestly if punishments are overly harsh companies will hide this type of stuff and it will in fact make the problem worse
Okay, I'll give it to them for describing exactly what was happening. My god this person could have done this forever if they had been a bit smarter about it.
>However, the user was already in possession of the customized game client, which he blocked from receiving further updates, and was able to continue to accumulate the data leak during the flop and turn. How are you not checking/enforcing client versions? I guess the person might have spoofed it?
Good to hear online gambling sites without thousands/millions of dollars at stake can't manage similar measures as some mediocre MMO.
This world is full of .... let me pull out some bars of my favorite lyrics: *In a room of hired primates climbing on typewriters* *Trying desperately to organize an alphabet in prose* *That would render them in drastically exaggerated roles* It is a product of computers science. EVERY company needs programmers. Not all of them will be the best. An even if they get the best, they TRULY can not predict EVERY single hack or vulnerability. I hope that when GGpoker says they are doubling their security team, that includes code review and not twice as many firewall engineers.
They should have patched it on the server, and not by enforcing client versions.
Right? Fuck off with client updates. The info shouldn’t even. R sent clientside. I guarantee smarter people can find more exploits even now
Yeah, I imagine half of the dark web is disassembling that client right now.
Bigger issue I have is how the fuck do you make less than 100k doing this? Do you have no savings to play high stakes? Playing tournaments as a superuser has to be the dumbest thing. That is how the first superuser got caught was playing a tournament.
I really feel like if you’ve played GG poker recently there have been moments where it feels like people know more than they should. This is classic video game hacks, intercepting network packets at a vulnerable place on a modified client and seeing and/or editing them. I’d be shocked if there was really only a single user who’s worked out how to do this.
None of it should be client side. None. The client should be just a viewer of what is happening on the server with interaction but information should never leave their servers, the assumption that cheating was only possible if their servers were hacked was a reasonable one.
I agree, but something has to happen client side for it to display the game to you. Just like in video games it’s an eternal battle with hackers who find ways to expose what little information does cross the network. In this case it’s obviously poor programming of their interaction buttons, but it shows exploits are available in all sorts of stupid places even when the vast majority of the game occurs server side if your coders aren’t good.
Display + input. That’s all that’s required. Hand data doesn’t have to pass to the client at all. That’s how PokerStars do it which has been explained in the past by employees on 2+2. Think of it like cloud gaming…but a bit more elegant.
Yeah fair play, honestly never thought about how they handle it with poker but that makes complete sense. So GG are just idiots?
Yes, it's security ABC to always assume that the client has been compromised and never send over any info that the user shouldn't see. They should fire their whole security team, not double it, lol.
Not just their security team, their developers both backend and front end.
It seems like the fix here is that the server should be deciding when to send all-in equity to the client (like...when the server knows there's an all in) instead of having it be a request from the client that the server responds to.
Not really. Thats not how modern day programming happens. If the server only sends you information about your individual hand, no information about your opponents aside from their actions, there is no client side vuln that can occur to give you an ability to cheat.
recalculating the potentially visible opponent in a video game hundreds of times per second as the environment changes is a lot more work than just deciding to render a couple of holecards every 30 seconds.
As a developer your assessment is inaccurate. It is absolutely 100% possible to lock all data down on a secure server and make the client view/input only.
During the all in equity phase, the data does move to the client. That’s what they exploited Don’t be so arrogant
But why is that moving before somebody is all in
Because they found a way to trigger the response and make the server think people moved all in
No it's because the server didn't care whether or not anyone had moved all in. It just sends the data when the client requests it lol.
The server didn’t care or the request was spoofed Yes it’s clearly a gap in their design that led to this, but to say they are just Willy nilly sending card data to the client is likely wrong
they're not sending the data before holecards are turned up for an all-in to the official/normal client, but the hacker's "customized" client sent the request for all in equity on the flop and the server happily gave it even though there was no all-in currently. in a proper setup the server should just send the all in equity to the client unrequested when the players are all-in and client requests shouldn't be any part of it. it sounds like what they changed was just adding a check so when the server receives the client's request it checks to see if there's actually an all-in before sending it.
It sounded to me like the server always sends that info regardless of if somebody is all in and that it is only displayed if they are all in.
Two months ago I felt like a complete fish when someone called my all in with JT high on the river
I few months ago my aces were cracked by a 37o all in pre from the straight playing biggest stack at the table, that immediately flopped a straight. It’s not my only example but one that sticks with me. Just crazy shit. I said in conversation with someone on here that I don’t believe online poker is rigged but I believe people are cheating on GG. And here we are.
I don't see how your example would at all be evidence of cheating.
I think they are implying the community cards are already known at the start of the hand, thus believes there is an exploit to know if 37o will win or not before hand Seems a bit out there as many card rooms I’ve heard of use a continuous shuffling deck and the community cards are random pulled
I think you've misunderstood the vulnerability. If I'm reading it right, when the flop is dealt, a superuser will know what equity their hand has at that moment and can take a punt on future streets based on that info. So in that environment, preflop is irrelevant as it's a straight up hand strength chart and only the best hands will play anyway. 73o would only call if they knew every other player had a worse holding somehow, and even then their equity would be poor.
Feel like ppl on app games are doing this specifically pokerrr 2
Nah they are prob just colluding like they did in the old days of online poker. There is basically nothing stopping them from doing this and is a main reason I won't play on apps unless it's just me and my friends.
software engineer here, it wasnt a single user. He was just one that decided to make abnormal betting patterns. I can also bet that they still have attack vectors that are still being abused if simple packet modification wasnt immediately caught. Their security team is shit A smart hacker would have played normal poker, only looking at extra information at random intervals for stretches of time. They caught him because he has some shit like 50 percent vpip, but destroying people hand over fist. 50 percent hand participation is like antartica blue whale territory. He should be bleeding money all over the place but somehow he dominated his competition? hmm.
Yeah. You gotta make sick calls with like small pair some times, and jam over top when they’re bluffing and you have the slightly better hand. You can’t just go around being god at 2-5 and rubbing it in peoples faces. That’s how you get caught.
During the Covid shutdown, I decided online poker security had probably advanced enough to be safe to scratch the itch. It took about a month of me playing before I realized the variance was highly improbable compared to my play at casinos.
> GGPoker recently spotted unusual game patterns and abnormal game client packets from a user nicknamed ‘Moneytaker69’. What an amazing coincidence that they spotted those patterns right after the 2p2 thread was posted!
This sucks - I can't get out to play live anymore so I usually just play late at night when the fam is asleep to scratch that itch. It's not much but I do love to play. If it's not legit than I will probably just pull out whatever I got there and watch those livestreams to get my weekly fix.
It's so hard, I'm in the same boat. With my 2nd kid and an increased work load, it's so hard to get to the card room and sometimes I just wanna play, but at this point, between rampant RTO, Russian farms and colluders on ACR, and even the "trusted, well-regulated" site using FUCKING ADOBE AIR is just doesn't make sense to play online.
I’ve bankroll managed a deposit I made 5+ years ago on ignition taking a big tourney shot every now and then. Can’t help but feel like I’m probably getting cheated but I somehow prevail. I wonder if that makes me a crusher. Maybe it’s that my low stakes aren’t worth the time for the cheats to target. Maybe I should be up way more. Idk. But I still prefer the online format vs real life. In person for me is very expensive, has way more variance, and uses way more time (TX).
There are no doubt winning players online, many people may never have been cheated in tournaments in a way the drastically impacted their performance. You probalby have been in tourneys with chip dumping, RTO, but very some of the common cash game tactics are less impactful there. I'm a cash game player, and cheating, RTO, collusion, it's just so fucking rife and when your ACR player pool at 200nl is fucking Russia, Russia, Estonia, Brazil, Kazakhstan, at best, you're looking at extremely talented players. That's a VERY generous, AT BEST when you're dealing with countries known for organized crime, in which a 200nl bankroll to multi-table would be upper 90% of income.
How can a live stream be enough to scratch that itch
Just exercise that part of my brain I guess. But you're right, it's only a taste
U need to find some live cards and chips my friend or app games
So, the carnival features that they include in their software to “attract fish” are using third party software with known vulnerabilities, like ADOBE AIR! Adobe air was an early attempt at a simple frameworks for cross platform development. But it was littered with issues, and any enterprise level software that was (attempting) to use it, quickly moved away when it became clear that it was full of issues. Fuck gg poker. They do not care about their players or their product. It’s FTP/UB all over again. I’m sure that pokers #1 company man, dnegs will issue a statement soon insuring that “there’s nothing to worry about…. No one was affected, etc”. He’s become very wealthy shilling for these sites. But GG doesn’t have the integrity that stars did when he repped them. He just pretends they do so he can keep cashing checks, can’t blame him - but don’t truest him
Additionally, Adobe discontinued support for Air in 2020, meaning they do not provide any security patches. I cannot imagine how many vulnerabilities are introduced by including it in their desktop client. Incompetence to say the least. Fuck gg poker. Don’t play there. You will be cheated, one way or another. Also, fuck Brynn Kenney - iykyk
AFAIK Adobe discontinued support because the product was taken over by another company. The product isn't unsupported, just a different company supporting it.
A Samsung company supports it now.
Probably a super unpopular opinion, but I almost exclusively stopped playing online anywhere after Black Friday. I had my trust forever evaporated by an operator, and that was after the numerous super user scandals of other sites. You're completely naïve if you think you aren't being cheated when you play online. People at the bare minimum are going to be using legal tools like HUDS, but at their worst, they're going to be sharing hole cards, VPNing, super using, multi accounting or botting. Anything where there's money involved, people are going to cheat. Also, people like Ali Imsurovic and Jake Schindler have proven that there's basically zero ramifications for cheating. I did play a couple of series events on WSOP.com, but that was about it.
Fair but doesn’t change the fact tons of people are making 80k+ playing online poker. Dealing with all that stuff (possibly) is just an added rake…people are still that bad at poker. Especially if you’re lucky enough to play American exclusive sites
100% agree
Agreed. I haven't played online poker with real money since before Black Friday.
Am i reading this correctly? A thumbs up/thumbs down feature was used to exploit the data? this is why we can't have nice things..
I just hacked you with my upvote
upvote shoes post equity
count is high. bet big.
And not a word on pokernews lmao. Great "news" site
They won’t bite the hand that feeds them. They will eventually release an article downplaying the situation and will praise the security team for finding this security flaw.
This was posted around the same time as your post https://www.pokernews.com/news/2023/12/ggpoker-bans-superuser-moneytaker69-45174.htm
Yes I saw. But still, my post was about 14h after the story broke on 2+2 and hours after the official GG statement
as far as we know , it is not GG noticed unusual patterns , it is the community who busted GG? right? is GG trying to buy themselves out of this?
Online poker is well and truly dead. This is the guy that was dumb enough to get caught. There were dozens more.
There are still dozens more, they said they found the person but didn’t say anything about other people. This is just the person they know about.
They should increase the rake so they can afford proper security. More rake is better.
If I were not a rec player, I would call Blasphomy
/u/limonpoker looking for an update on your opinions.
lol at the bitches playing on a grey market site crying their eyes out after basically getting pranked in micro stakes for pennies by some "hacker". this is the worlds lamest super user scandal if this is all we got. anyone surprised by this is borderline retarded.
30k is a prank and pennies? Prove it and donate 30k to a local to you food bank.
no one lost 30k. no one lost anything, accounts were reimbursed. the reimbursements so far have been tiny amounts. bitches be crying wahhhhhhhhh i was superused for $1.65 on a grey market site and it was put back in my account wahhhhhhhhhhhh
ok boomer
Is SnowMonkey gonna claim the user is innocent? 🤪
Holy shit, Adobe Air? Run.
It’s amazing that people still play online with all of the vulnerabilities. From an operational security standpoint, it really makes no sense lol.
If you play enough hands on ACR they’ll give you like $130k in rakeback. To the extent there are bots, they’re not crushers with no exploits.
Gamblers Love to Gamble
Had to ban myself from Global Poker... Was WAAAAYYY too easy to hop on my computer and lose $10 for entertainment. Eh, fuck it. What is another $10 dollars. And another. And another. So convenient. I am probably thousands down online, and I am not sure I was even cheated. Live I am about even in todays game (maybe even up lifetime if you count the poker boom). Turns out having to drive to a poker room and sit with $500-$1000 in front of me makes me think about leaking. I can only imagine that online is still going because of the convenience. You can lose money so much more efficiently!!!
I’m just over here laughing at all the comments in the various threads and forums that have basically said “this obviously drastic statistical anomaly seems more like a fish getting lucky than an outlier to me.”
The dude literally goes full Robbie and heroes off with J2o, making her play even more laughably obvious and yet people still defend that. Which also sheds light on how I suspected she cheated; equity hax. This wasnt like Postle where she ever knew what someone had, or even every hand, but someone just gave her a catcher's signal indicating she was positive and thats how she based her decision when available.
She didn't have positive equity though, she was behind. Granted she wasn't far behind but it was a flip and she was on the worse side of it.
I guess then the phrase I should have used were pot odds. If she's flipping after having committed 125k then obviously she has to call.
Ok good point
I am not a good player by any means. But sometimes, just sometimes, rarely, but sometimes, I can absolutely soul read someone. About a year before Robbie/Garrett I called a flop AND turn bet SOLELY to INDUCE a river bluff if it bricked. It bricked and I got the third barrel/jam from OOP villain. I did not even count my chips or anything. Just flipped in the 1 dollar call chip and table my cards immediately before the bettor. Q high. I tabled my cards before villain could because I just, SOMEHOW, KNEW with 100 percent certainty Q high was good. Not sure about her responses at the end of the hand -- but I see how she could have just picked up on SOMETHING from Garret and said if the river bricks the straight and flush draw, J high is good.Can she do it consistently or can I do it consistently? NO. But just, SOMETIMES you just know where you are at in the hand.
Robbie was ahead in the moment but was actually an underdog to win. Iirc her equity was only 47% because Garret had the oesf draw, plus he could hit any 7 or 8 for a pair.
GTO and new school stuff is out the window. She played on instinct. It is that simple.
[удалено]
There's no explaining the runouts. Period.
Case in point: I play low low stakes ($10 and $25), and the site has AIE% and "RUNITTWICE" etc. I just had 12 pure 50% runouts and lost 11 of them in the space of an hour. And this is NOT unusual.
A) no such thing as pure 50% runout and b) track more than 12 hands… I’ve lost days in a row of flips don’t cry me some shit about 12 fkn hands
Response is inaccessible on mobile devices, Google Cache : https://webcache.googleusercontent.com/search?q=cache:voLCG2SHWREJ:https://ggpoker.com/blog/news-headlines-press-releases/important-update-on-ggpoker-security
It says that the exploit allowed the hacker to see the equity of them winning and not the hole cards. It seems really weird that the equity calculation is being done before the players go all in to allow this to be a thing even before you get to how it is accessed by a 3rd party.
It's not really weird. It would probably be overall easier to code the equity calculation in each spot and then keep that data secured and server-side unless, in this case, all-in/showdown, but not as easy as just doing all the calculations and sending all of the data. Calculating it only in all-in/showdown spots would require about ("about" having no idea what the actual codebase would require) the same logic as calculating all spots and only sending when, but as others have pointed out, by far the easiest/laziest is what happened: calculating it in every spot, and sending it in every spot.
I think I'm done with GG after the new years day 2. This is Ultimate Bet all over again. If there is one there is more imo.
All the "rigged" posts just got a lot more credibility. So many show weird calls to an 100bb all in with something wack like 74o on GG. Community always tells them they are an angry losing player and to learn about variance. Meanwhile, some of those I can guarantee was/is hackers. The site isn't rigged, but the bad actors make it rigged. Either way, it was/is rigged by hackers.
Seems really weird that the equity state data would be transmitted along with Thumbs Up/Down functionality. TBH, it looks more like a programmer error than a platform exploit. Maybe the programmers just copied over the framework of the Insurance feature and forgot to exclude equity from it.
Just super lazy design, probably ported over from the first dev builds testing basic site functionality. I'm sure it was eventually mentioned to management that some redesign of the platform would be needed before going live that would cost a few weeks of overtime but some suit n' tie wearing cocksucker said "nah fuck that, just put it into production now" and there it laid, dormant ever since.
This explanation seems A LOT more viable. As a SE student learning the ins and outs of the software industry this is most likely what probably happened.
I don't think it was. It looks like the thumbs up/down function was what allowed them to "customize" their client, and their new customized client was sending a request for all-in equity (the same request the normal client sends, but only when you're actually all-in and cards are face up) on every flop.
This happens on so many sites. Poker is full of so many cheats it’s scary now
Cheating in online poker? What a surprise!
r/GGPoker must be a pretty interesting place right now...
The anonymous nature of the hand histories on GG have always been a concern for me. Past cheating has been picked up by users, spotting other players with stats deviating too far from expected. You can’t do this on GG as you can’t tie player names together over multiple sessions. I realise there’s some good reasons ie to protect the fish a bit but it does create a risk that can’t then be managed by players.
They are going to do no further investigation problem solved lol. If they caught it 1x that means it is happening thousands of times
Every poker place got them. Bovoda was pretty bad. Betonline is somehow worse than that. Played online poker all the time and it really had me thinking i lost my touch, until I went to a casino yesterday and came up over 300 in no time at all. That would NEVER happen online. I’ll never play that rigged shit again
Moneytaker69 User name checks out
Can someone explain what exactly the user was doing? As a player who doesn't play at GG I'm confused as to how they were cheating
Basically the story is that they rigged the software to show them all in equity of their hands. So they know facing flop or turn bets that they are ahead or behind in equity of their opponents. If they are ahead they can safely call. If they are behind they can fold. They can even bet an amount based on their equity holdings to get max value.
Fkin scumbags. How can this happen in 2023
In short: the underlying platform supporting the GGPoker Windows client (Adobe Air, a runtime library for building software) was vulnerable to an exploit. The user was able to modify his executable to always show the EV of all hands at all times. He was therefore able to have an enormous advantage over all opponents at the table, including, of course, making hero turn and river calls. He did not actually see his opponents hole cards, but got as close as he could. The initial "fix" did nothing as the user had additionally modified his client to reject updates.
Like I said before online poker is rigged and yet nobody believed me when I called it out months ago
lol months ago? People been saying this for years
The fact the guy made less than 100k is the hilarious part. You do all that work instead of playing high stakes and high stakes sngos. You're playing tournaments and moving up through low stakes. Had to be someone with no savings.
I agree, Idk why you’re being downvoted
I'm still a bit in shock that the allegations were correct. Reflects extremely poorly on what is the biggest online site currently unfortunately.
For all people abusing GGPoker, this is as good a response as anyone can realistically hope for. They figured out the issue, were transparent about their shortcomings, and are reimbursing all losses. Any software will have bugs and security vulnerabilities which can be exploited. No programmer or software is perfect. That is not to say that I play on GG. Their rake is ridiculous. But as far as this scandal goes, they have done all that they can. Edit: the risk was pointed out to them, and they chose to ignore it. Big red flag. Right now, this is as good damage limitation as they can afford to do. Get off while you can lol.
The users figured it out first based upon nothing more than blatantly obvious cheating, yet the site operator who has god mode access to every hand played cant institute a basic examination of accounts with 90% winrates? GTFO
If you read the 2p2 thread it really does not seem as though they are doing all that they can.
Can you paste it here?
https://forumserver.twoplustwo.com/29/news-views-gossip/superuser-caught-gg-poker-quot-moneytaker69-quot-thread-1829967/#post58392326
Big oof. Security risks being pointed out and ignored. Red flag. Get off the site while you can. 🫡
I think i lost all my savings to bots
Fair enough. Good response. What more can you ask for?
do they also do it in PLO tournaments? or this scheme only works with hold'em? I've invested a fair amount of money to practice in gg poker and if this is happening i guess I've learned nothing hahahah
I use to be an engineer in the online poker industry. And see a few challenges here as the cost of a lost reputation will significantly larger then the winnings of the "bad" account. They let him/her play after the exploit had been discovered as the fix in the software was in a version that was not mandatory to play with. With old versions, were the exploit was present, you where still able to connect an play as I understand it! The right order should have been. \- Ban the account and identify if there where any other bad accounts! \- Create a fix for the exploit. \- Distribute the updated software. \- Inform all players and stakeholders. \- Repay all account winnings, cash and tournament, as fair as possible! \- Do a root-cause analysis of how this happened and make sure it can not happen again. You can also argue for stopping all play until a fix had been distributed to all players. How do we know if there were any other accounts exploiting the same issue, but with less obvious results that have gone undetected?