The mobile app for the ‘world’s biggest casino’ had some major security flaws

Pls share this post

Listen to this article

The mobile app for the “world’s biggest casino” was sending customers’ private data to a database that was sitting on the web without a password, available for anyone who knew where to look. 

The My WinStar app was designed as a complementary app for people visiting the WinStar casino and hotel resort in Oklahoma, US, known for being the largest casino in terms of square footage anywhere in the world. 

Customers could use the app to access different self-service options while staying at the hotel, redeem rewards, loyalty benefits, and even casino winnings. 

Publicly available invormation, or sensitive data?

The database was initially discovered by a security researcher Anurag Sen, who also found an exposed email server hosted on Azure that belonged to the US Government, back in February 2023, as well as an Amazon Prime database in October 2022. In all those cases, as well as in this one, Sen did the same thing – tip off TechCrunch on his findings, which later helped him identify the database’s owner. 

READ ALSO  Forget about eSIM, this multi-operator SIM could make swapping mobile networks as easy as ABC — but it is not available for smartphones right now

In this case, as TechCrunch was going through the database to confirm its authenticity, it found data belonging to Rajini Jayaseelan, founder of Dexiga, the tech startup that develops and maintains My WinStar. This made the researchers sign up on the My WinStar app and lo and behold – the data immediately appeared in the exposed database, confirming its owner.

Commenting on the findings, Jayaseelan said Dexiga only kept “publicly available information” in that database, and that it held no sensitive data. However, the file contained people’s full names, phone numbers, email addresses, as well as physical addresses.

Soon after the discovery, the company plugged the hole and secured the database.

READ ALSO  Computational governance: The key to building safe and compliant AI

There is no telling how long the database sat there unprotected, but rolling daily logs dated back to January 26, at the time it was secured, TechCrunch confirmed. It is also left unconfirmed if anyone managed to access it before, or not. 

“We are further investigating the incident, continue to monitor our IT systems, and will take necessary future actions accordingly,” Dexiga noted in response.

More from TechRadar Pro


Pls share this post
Previous articleDiamondback in $26B deal to buy Endeavor Energy in growing Permian push
Next articleEconomists are the most critical of the Fed’s tight policy they’ve been in 13 years