Online Betting Site Left Employees' Logins and Passwords Open to Hackers

A major British betting company left internal administrative logins and plaintext passwords on pages exposed to the whole internet, according to security researchers.

Independent security researcher Chris Hogben found that he could see pages containing confidential information, such as administrative passwords, just by clicking around the website of BetVictor, and searching for the word “admin.” BetVictor is a website that allows customers to bet on a myriad of sports, such as soccer, tennis, and horse-racing. The site claims to have half a million customers and is a partner of Liverpool FC, one of the best English Premier League Teams.

“With the World Cup taking place at the moment, I'd imagine more people are using betting sites than usual,” Hogben, who detailed his findings in a blog post, told Motherboard in an online chat. “Having administrator access so readily available to anyone puts the safety of those users’ details at risk. Who knows what could have been done by a bad actor.”

Another researcher, Scott Helme, said he was able to reproduce Hogben’s findings.

“A fairly innocuous feature like searching for help articles resulted in the leak of what appeared to be the company’s internal documents instead,” Helme told Motherboard in a chat. “Of the documents found there were two that contained extensive combinations of usernames and passwords for what looked like various back-end and administrative systems used by the company.”

Motherboard was unable to reproduce the researcher’s findings..

BetVictor declined to comment. In an email to Hogben, which the researcher shared with me, the company said that it’s still working with a third-party provider and still investigating the issue. Hogben and Helme, however, said that the issue appeared to be fixed on Wednesday. The button on BetVictor’s homepage, which hackers could abuse to search for confidential data, is now gone.

It’s unclear if any malicious hackers found out about this issue before Hogben alerted BetVictor. And it’s hard to tell exactly how much damage they could’ve done if they had, according to Hogben. The researcher said that there was also an entry for “Experian,” a data broker that BetVictor may be using to verify customer’s personal data, according to Hogben.

“Because the credentials were not used,” Hogben said, “it is difficult to ascertain exactly what each system exposed did, but if we take at face value the ‘Experian’ reference, and assume it was a portal for identity verification, there may well have been information and documents provided by users to verify their identity.”

Get six of our favorite Motherboard stories every day by signing up for our newsletter.