Found this, seems a bit unreal (although with it being betfair nothing should surprise)
p.s.
Anyone know Peters' email and dob?
Betfair security issue
-
tomallen123
- Posts: 113
- Joined: Mon Nov 01, 2010 1:52 pm
http://www.troyhunt.com/2015/04/happy-b ... in-to.html
Found this, seems a bit unreal (although with it being betfair nothing should surprise)
p.s.
Anyone know Peters' email and dob?
Found this, seems a bit unreal (although with it being betfair nothing should surprise)
p.s.
Anyone know Peters' email and dob?
There is actually another related, but potentially more serious flaw which has been posted on Reddit today:
http://np.reddit.com/r/webdev/comments/ ... rt/cqse31g
Full thread in context:
http://np.reddit.com/r/webdev/comments/ ... r_support/
It seems they've "fixed" the flaw in the past hour, but basically, you could reset anyone's password with just their basic information by redirecting the password-reset email to one in which you control.
If anyone has received an unprovoked password-reset email from Betfair in the past few weeks, then I strongly suggest you check your security information with them and change your password immediately.
It's no surprise that people keep having their accounts emptied. With shoddy programming like this in the most important "secure" areas of the site, it's almost inevitable that there are plenty of other similar issues around which the hackers are aware of but are not yet published.
http://np.reddit.com/r/webdev/comments/ ... rt/cqse31g
Full thread in context:
http://np.reddit.com/r/webdev/comments/ ... r_support/
It seems they've "fixed" the flaw in the past hour, but basically, you could reset anyone's password with just their basic information by redirecting the password-reset email to one in which you control.
If anyone has received an unprovoked password-reset email from Betfair in the past few weeks, then I strongly suggest you check your security information with them and change your password immediately.
It's no surprise that people keep having their accounts emptied. With shoddy programming like this in the most important "secure" areas of the site, it's almost inevitable that there are plenty of other similar issues around which the hackers are aware of but are not yet published.
-
tomallen123
- Posts: 113
- Joined: Mon Nov 01, 2010 1:52 pm
The answer to my security question was changed last july, I contacted betfair who couldn't tell me how this happened.
I have a strong password, 2 step authentication and nobody knows my username
I have a strong password, 2 step authentication and nobody knows my username
-
spreadbetting
- Posts: 3140
- Joined: Sun Jan 31, 2010 8:06 pm
The return email address was in a hidden form field 
I remember snooping around the html code years ago and came across all their poker stuff they were due to launch. I posted on a message on their forum which got deleted asap and received worried calls from high up asking how I knew about it cos it was hush hush. Even when I told them it was hidden within the default html homepage they said it wasn't but would be removed. It was there all the way to the poker launch
Not surprised it still full of holes as the only thing they used to use to regulate fields sent to the server was a bit of javascript.
Here's Betfairs version of customer service when people help them with flaws.
https://twitter.com/psawers/status/591279641828143104
http://www.reddit.com/r/webdev/comments ... r_support/
I remember snooping around the html code years ago and came across all their poker stuff they were due to launch. I posted on a message on their forum which got deleted asap and received worried calls from high up asking how I knew about it cos it was hush hush. Even when I told them it was hidden within the default html homepage they said it wasn't but would be removed. It was there all the way to the poker launch
Not surprised it still full of holes as the only thing they used to use to regulate fields sent to the server was a bit of javascript.
Here's Betfairs version of customer service when people help them with flaws.
https://twitter.com/psawers/status/591279641828143104
http://www.reddit.com/r/webdev/comments ... r_support/