Programmer's Log

Wednesday, August 23, 2006

Yesterday I got an email from my supervisor about patching our Member Website. I totally didn't understand what he meant. After arriving at work, I asked him on what was going on; then series of mixparlay bet were shown to me and my colleague.

"Our System has holes"

That was the conclusion that we arrived. Some smart a**es figured out the way, we sent information to our server to process mixparlay bets and exploited that.

A mix parlay bet is a combination of choices over many matches. In each match, a punter is only allowed to choose one product (one of handicap, over/under, 1x2, and total goal); at the moment we only offer that many products for mixparlay (Parlay betting explanation). For our company, a parlay must consist of 3 soccer matches or over.

In our ASP version, mix parlay information will be passed in the query string of an url; then send back to our servers for processing the bets (something thing like http://linkA?a=betinfoA_betinfoB_betinfoC).

In our ASP.NET version, mix parlay information is posted through a form then send back to the servers.

For ASP version, it is pretty easy just to change the query string link. For ASP.NET version, the punter could interfere with the posting action by creating a dummy post form. If exploiting this, the punter will pass through all our checking on the interface and creating sure win parlay combinations. For example, they could choose 3 same choices for a parlay, and the next one choose 3 choices of the opposite; dispite the results of the matches, the punter will win at least 1 combinations; and that win is enough to cover all the expenses and with profit.

... when it comes to money ... people are getting so smart at digging and finding holes ...

We immediately patched our systems for this vulnerability both in ASP and ASP.NET version. We implemented 2 more levels of checking the duplicate match in processing bet level and in database level, and of course, update immediately into production servers.

Testing servers were set up for our CSD to test our new position taking functionality on our agent system as well. 2 web servers were deployed with newest code from the development, and database server with newest data from production servers. I wonder how CSD were doing at the moment. Once the test is done, 1h downtime of the system will follow in order for us to run an update on the database and on the interface code.

External Admin was also updated; new functionalities launched. I'm checking how it runs at the moment. Better than the old version, there is no complain yet so far. From feedback of our operations, external people liked the new version. I cross my finger and wait for things to land on our to-do lists; when the customers like it, they will definitely throw at us a series of IMPROVEMENT requests ... "you can do that, now please do this for us" blah blah blah ... and I got 3 new requests already on my table for tomorrow.

On our schedule, I have to continue launching 2 more member websites in the set of 10 sites that we are operating now. This will be to be determined tomorrow.


Post a Comment

<< Home