The key is under the mat…

… next to the admin credentials for various BetVictor systems.

UPDATED — 2nd July 2018, 13:50 (GMT+1)


Every single one of you reading this has a password — hopefully more than one. You take care of your passwords, ensuring they are strong and secure. But you are just one person looking after your own life. Imagine the passwords of multi-million dollar organisations. They must be even stronger and more secure, right?


Hello BetVictor.

For those who are not familiar, BetVictor are a large betting and gaming website. With estimated turnover in excess of £1 billion and half a million customers in more than 160 countries around the world, they also partner with Liverpool Football Club and regularly advertise eye-grabbing promotions, such as their “£1 million bet” offer during the FIFA World Cup.

Our story begins on June 26th, when I went to the BetVictor website looking for some specific information. The back story is not important. Needless to say, I couldn’t immediately find what I was looking for. So, I clicked the help button. It was sitting in the bottom right-hand corner of the homepage.

The BetVictor website, with the help button in the bottom right corner

Live Chat, E-mail… I don’t really need to speak to anyone. “Learn More” — could be a knowledge base? Maybe I can search for what I need there.

BetVictor’s help options — Live Chat, E-mail or Learn More

The articles are missing. Gone. That’s very helpful. But wait, there is a clickable search icon in the top-left corner of the modal. Maybe I can still search for what I need?

BetVictor has no articles... maybe…

A search box — great! I type what I’m looking for in to the box and hit search.

Note: for the purposes of this article, the actual information I required has been altered. The end result remains the same.

Results! Not many, but there is something that looks like what I need…

Those missing BetVictor articles? Turns out they are still there…

Well. That doesn’t seem right. It’s very honest and not exactly customer facing. Maybe that’s the image the company wants to portray? No, that can’t be it. This looks like an internal company document. Weird…

Honesty is the best policy…

I wonder if there are any other documents which would be considered internal or confidential? It wouldn’t be great if more procedures or policies were available for all to see. Embarrassing. Let’s just do a quick check to see if this is something we need to make BetVictor aware of…

Searching for other internal documents... oh. Whoops. Logins you say?

Oh.

It can’t be. Can it?

They wouldn’t. Would they?

*facepalm*

A highly-redacted, small sample, of the logins displayed for all to see

I think that’s the digital equivalent of leaving the key under the mat. Information about BetVictor’s back-end systems and portals — usernames, passwords, URLs — is there, just a few clicks away, right on the homepage.

Yikes.


So what did get exposed? Well, it’s difficult to say.

None of the credentials were tried or tested, so it is not known whether they are current, however:

  • 27 different URLs listed, of which 22 appear to be available externally
  • 19 username and password combinations, with 5 passwords being identical or nearly identical to the username
  • 11 passwords appear in the Pwned Passwords data set

Included within the list were various trading platforms, support ticketing systems both internal and those between BetVictor and their gaming partners, as well as an entry for “Experian” — an identity verification service.

With access to any of these systems, it may be possible to access sensitive company information and potentially even user-specific data.

It should also be noted that this was just one document located within the BetVictor knowledge base. With more extensive searching, further documents may have been discovered containing even more confidential data.

I wonder what odds I can get on your password security being better than BetVictor’s?


I figured this could be big. The GDPR has recently taken effect in the European Union and covers the protection of user data. If a bad actor had already found these credentials, would information have already been disclosed? BetVictor would need to act swiftly to avoid any consequences under the new laws.

I messaged Scott Helme, creator of Security Headers and Report URI, for assistance as I knew he had been involved in information disclosure issues before, plus he also works alongside Troy Hunt, the operator of Have I Been Pwned.

Scott was able to verify my findings and suggested locating the security contact for BetVictor. At 15:20 (GMT+1), I messaged their Twitter team asking for the relevant security contact details.

BetVictor use a generic e-mail address for their security reports

After a small delay waiting for confirmation of the contact details, the full write-up was completed and sent through to BetVictor’s security team at 15:57 (GMT+1).

Throughout the afternoon, various parts of the affected website and system were altered or changed to mitigate the problem, culminating in the removal of the “Learn More” button from the UI around 20:00 (GMT+1). The API endpoints were also changed to remove access to the documents and articles inadvertently disclosed.

At time of publication, BetVictor have yet to acknowledge the problem is fixed and have not indicated whether any systems were accessed or any user information was at risk. A follow-up e-mail was sent at 20:36 (GMT+1) on June 26th, and again at 12:33 (GMT+1) on June 27th, seeking confirmation.


BetVictor provided an initial direct response via e-mail at 18:07 (GMT+1) on June 26th— before the issue was resolved:

Dear Mr Hogben
Thank you for your recent email
We are investigating the matter as a matter of urgency and reviewing exactly what has happened.
Once again thank you so much for informing us.
Kind Regards,
[redacted]
BetVictor Contact Centre

UPDATE — 28th June 2018, 11:00 (GMT+1)

BetVictor offered some further details in response to press enquiries made by TheRegister:

We asked BetVictor if it could say whether it was dummy or test data rather than real login information. BetVictor offered the following.
“We cannot answer specific questions regarding the data that was available yesterday [Tuesday] through our help centre because we are still investigating exactly what happened with our third-party provider.
“What we can say is that the information was from an internal help section that was available for our Customer Service Teams in 2015.
“As soon as we became aware of the problem we disabled the Help Centre and prevented external access to any systems that had not expired.
“We regret what happened and are working with our supplier to prevent it happening again which is why we currently have no help centre available.”
BetVictor declined to elaborate further, citing an ongoing investigation.
“We are conducting intensive investigations to ascertain exactly what happened and what the implications are, until such time as this is completed will not be able to answer any questions around this issue,” it said.

UPDATE — 2nd July 2018, 13:50 (GMT+1)

I have written a second post outlining the difficulty in obtaining any kind of statement from BetVictor surrounding this issue, and their apparent reluctance to provide reassurances to their customers that no information was at risk or ever exposed.

You can read it here:

BetVictor exposed their admin passwords; won’t reassure people their data is safe…


Timeline

  • Jun 26th, around 14:00 (GMT+1) — Information disclosure issue on BetVictor discovered
  • Jun 26th, around 15:00 (GMT+1) — contacted Scott Helme for assistance with the disclosure
  • Jun 26th, 15:20 (GMT+1) — first contact with BetVictor via Twitter asking for security contact details
  • Jun 26th, 15:57 (GMT+1) — full report with proof sent to BetVictor’s security team
  • Jun 26th, 15:59 (GMT+1) — automated response confirming receipt of e-mail
  • Jun 26th, around 16:30 (GMT+1) — contacted BetVictor via Live Chat to confirm receipt of e-mail by BetVictor’s Security Team
  • Jun 26th, 18:07 (GMT+1) — response from BetVictor’s management team confirming receipt of the report and stating investigation is underway
  • Jun 26th, around 20:00 (GMT+1) — Learn More button is removed from BetVictor’s website and API endpoints no longer return the internal docs
  • Jun 26th, 20:36 (GMT+1) — follow-up e-mail sent to BetVictor asking for confirmation of the fix
  • Jun 27th, 12:33 (GMT+1) — additional e-mail sent to BetVictor seeking confirmation of the fix
  • Jun 27th, 13:24 (GMT+1) — received further comment from BetVictor
  • Jun 27th, 16:00 (GMT+1) — this Medium post is published and the issue was disclosed publicly

Many thanks to Scott Helme for assisting with the disclosure of this issue!

If you require any further details, please feel free to drop me a line on Twitter.