12 Feb
Baazi Games was established in 2014 with the aim of offering online gaming to people in India. They created several games, including PokerBaazi, CardBaazi, and BalleBaazi, that blended fun gameplay with the opportunity to win real money. These games became popular and well-known quickly.
PokerBaazi is part of Baazi Games and it says it has over 7.5 million active users. It was started by Navkiran Singh, Varun Ganjoo, Anirudh Chaudhry, Avneet Rana, and Puneet Singh in 2014. They created India’s own online poker platform, PokerBaazi.com.
However, PokerBaazi recently faced a significant security lapse when it was discovered that an internal database containing sensitive user information was left exposed to the internet for more than 2 months.
The exposed data contained:
- full names,
- email address,
- location,
- Oauth tokens and
- internal logs.
This exposure was due to a misconfiguration in the system and could be easily accessed by anyone with knowledge of the database’s IP address. The size of the exposed data was more than 6 GB in size as of 11-Feb-2023 and still growing.
As there was no basic security authentication enabled, it was exposing all the data to folks who know how to use that particular logging system.
This security incident was reported by security researcher Anurag Sen and was brought to the attention of PokerBaazi through XposedOrNot. Though it was initially communicated by Anurag Sen through his Twitter account, neither the corporate account nor the CEO responded to repeated requests.
Anurag Sen tried to contact the PokerBaazi through email and Twitter, but didn’t get a response or an acknowledgement. I also sent an email to the executive team, but as of now, I haven’t received a reply. The exposed data is still available on the internet without any protection.
While this security lapse is concerning, it is even more disheartening to see that PokerBaazi did not respond to the notification by the security researcher. That means, the exposed data is still not contained and still spilling its data of its customers. This shows a lack of security incident response mechanism defined within Baazi Games for handling such incidents.
This incident serves as a reminder of the importance of ensuring that sensitive user information is properly secured and protected. It is also a timely reminder of the need for regular security audits and the implementation of best practices to minimize the risk of data breaches.
We notified the organization in India that helps with cyber security problems, called CERT-IN, about the problem.
We don’t know if anyone else found the information. It’s important for people who play PokerBaazi to change their password and turn on extra security steps, like two-step verification.
Update from Poker Baazi communications team Feb-13: The communication strategist claimed that the server exposed did not contain any customer data and the server in question was used only by internal testers and developers.
The exposed server was removed from direct internet access after speaking with the Technology Head of Baazi Games. The question still remains open – if it’s an internal server used for testing, why there was no access control filter to allow only specific sources to reach and basic authentication disabled when it was exposed to the internet. Also we are still not sure why the team has not communicated with the security researcher when he initially reached our to Poker Baazi team a week back.