‘World’s Biggest Casino’ App Reveals Customers’ Personal Data

Posted by

A startup that developed a phone app for casino resort giant Winstar has secured an open database that spreads private customer information on the open web.

Oklahoma-based Winstar bills itself as “the world’s largest casino” via square footage. Casinos and hotel resorts also offer an app, My WinstarIn which guests can enjoy self-service options, their rewards and loyalty benefits and casino wins during their hotel stay.

The app is developed by a Nevada software startup called Dexiga.

The startup left one of its logging databases on the Internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored inside using only their web browser.

Dexiga took the database offline after TechCrunch alerted the company to the security flaw.

Screenshots of the My WinStar application. Image Credits: Google Play (screenshot)

Anurag SenA bona fide security researcher with expertise in finding sensitive data inadvertently exposed on the Internet found a database containing personal information, but it was initially unclear who the database belonged to.

Sen said personal data includes full name, phone number, email address and home address. Sen shared details of the open database with TechCrunch to help identify its owner and disclose the security flaw.

TechCrunch examined some open data and verified Sen’s findings. The database also contained the person’s gender and the IP address of the user’s device, TechCrunch found.

None of the data was encrypted, although some sensitive data — such as a person’s date of birth — was redacted and replaced with an asterisk.

A review of the data disclosed by TechCrunch found an internal user account and password associated with Dexiga founder Rajini Jayaselan.

Dexiga’s website says its tech platform powers the My WinStar app.

To confirm the source of the suspected spill, TechCrunch downloaded and installed the My WinStar app on an Android device and signed up using a phone number controlled by TechCrunch. That phone number immediately appeared in the open database, confirming that the database was linked to the My WinStar app.

TechCrunch contacted Jayseelan and shared the IP address of the exposed database. The database became inaccessible after some time.

In an email, Jayseelan said that Dexiga has secured the database but claimed that the database contained “publicly available information” and that no sensitive data had been exposed.

Dexiga said the incident was triggered by a log migration in January. Dexiga did not provide an exact date when it disclosed the database. The open database contained daily logs from January 26, when it was secured.

Jayseelan would not say whether Dexiga has the technical means, such as access logs, to determine whether someone else accessed the database while it was exposed to the Internet. Jayseelan also would not say whether Dexiga notified Winstar of the security flaw or whether Dexiga would notify affected customers that their information had been exposed. It was not immediately known how many people’s personal data was exposed in the data spill.

“We are investigating the incident further, continue to monitor our IT systems, and will take necessary future action accordingly,” Daxiga said in response.

Jack Parkinson, WinStar’s general manager, did not respond to TechCrunch’s email requesting comment.

Read more at TechCrunch:

#Worlds #Biggest #Casino #App #Reveals #Customers #Personal #Data

Leave a Reply

Your email address will not be published. Required fields are marked *