‘World’s biggest casino’ app exposed customers’ personal data


Share post:

The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers’ private information to the open web.

Oklahoma-based WinStar bills itself as the “world’s biggest casino” by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings.

The app is developed by a Nevada software startup called Dexiga.

The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser.

Dexiga took the database offline after TechCrunch alerted the company to the security lapse.

Screenshots of the My WinStar app. Image Credits: Google Play (screenshot)

Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, found the database containing personal information, but it was initially unclear who the database belonged to.

Sen said the personal data included full names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security lapse.

TechCrunch examined some of the exposed data and verified Sen’s findings. The database also contained an individual’s gender and the IP address of the user’s device, TechCrunch found.

None of the data was encrypted, though some sensitive data — such as a person’s date of birth — was redacted and replaced with asterisks.

A review of the exposed data by TechCrunch found an internal user account and password associated with Dexiga founder Rajini Jayaseelan.

Dexiga’s website says its tech platform powers the My WinStar app.

To confirm the source of the suspected spill, TechCrunch downloaded and installed the My WinStar app on an Android device and signed up using a phone number controlled by TechCrunch. That phone number instantly appeared in the exposed database, confirming that the database was linked to the My WinStar app.

TechCrunch contacted Jayaseelan and shared the IP address of the exposed database. The database became inaccessible a short time after.

In an email, Jayaseelan said Dexiga secured the database but claimed the database contained “publicly available information” and that no sensitive data was exposed.

Dexiga said the incident resulted from a log migration in January. Dexiga did not provide a specific date when the database became exposed. The exposed database contained rolling daily logs dating back to January 26 at the time it was secured.

Jayaseelan would not say if Dexiga has the technical means, such as access logs, to determine if anyone else accessed the database while it was exposed to the internet. Jayaseelan also would not say if Dexiga has notified WinStar of the security lapse, or if Dexiga would inform affected customers that their information was exposed. It is not immediately known how many individuals had personal data exposed by the data spill.

“We are further investigating the incident, continue to monitor our IT systems, and will take necessary future actions accordingly,” Dexiga said in response.

WinStar’s general manager Jack Parkinson did not respond to TechCrunch’s emails requesting comment.

Read more on TechCrunch:

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Instagram now lets you edit DMs up to 15 mins after sending them

Instagram announced today that it’s rolling out the ability for users to edit their direct messages for...

Anthropic claims its new models beat GPT-4

AI startup Anthropic, backed by hundreds of millions in venture capital (and perhaps soon hundreds of millions...

Airbnb has a new label to denote its top (and worst) listings

Airbnb already has labels like “Guest favorites” and “Superhost” to indicate the quality of a property or...

Apple plans to appeal European Commission’s massive antitrust fine favoring Spotify

Apple says it plans to appeal the historic €1.84 billion fine issued today by the European Commission...

TikTok launches data portability API ahead of Europe’s DMA regulatory deadline

TikTok is introducing a data portability API to help it comply with new European regulations designed to...

Apple announces new 13-inch and 15-inch MacBook Air models with M3 chip

Apple announced new MacBook Air models with 13-inch and 15-inch screen sizes with M3 Chip. The 13-inch...

Apple fined $1.84BN in EU over anti-steering on iOS music streaming market

The European Union has fined Apple €1.84 billion for breaching antitrust rules in the market for music...

When your cap table makes your startup uninvestable

The CEO of a Norwegian hardware startup shared a pitch deck with me that had an unusual...