'World's biggest casino' app exposed customers' personal data
The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers' private information to the open web.
Oklahoma-based WinStar bills itself as the "world's biggest casino" by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings.
The app is developed by a Nevada software startup called Dexiga.
The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser.
Dexiga took the database offline after TechCrunch alerted the company to the security lapse.
Screenshots of the My WinStar app. Image Credits: Google Play (screenshot)
Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, found the database containing personal information, but it was initially unclear who the database belonged to.
Sen said the personal data included full names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security lapse.
TechCrunch examined some of the exposed data and verified Sen's findings. The database also contained an individual's gender and the IP address of the user's device, TechCrunch found.
None of the data was encrypted, though some sensitive data — such as a person's date of birth — was redacted and replaced with asterisks.
A review of the exposed data by TechCrunch found an internal user account and password associated with Dexiga founder Rajini Jayaseelan.
Dexiga's website says its tech platform powers the My WinStar app.
To confirm the source of the suspected spill, TechCrunch downloaded and installed the My WinStar app on an Android device and signed up using a phone number controlled by TechCrunch. That phone number instantly appeared in the exposed database, confirming that the database was linked to the My WinStar app.
TechCrunch contacted Jayaseelan and shared the IP address of the exposed database. The database became inaccessible a short time after.
In an email, Jayaseelan said Dexiga secured the database but claimed the database contained "publicly available information" and that no sensitive data was exposed.
Dexiga said the incident resulted from a log migration in January. Dexiga did not provide a specific date when the database became exposed. The exposed database contained rolling daily logs dating back to January 26 at the time it was secured.
Jayaseelan would not say if Dexiga has the technical means, such as access logs, to determine if anyone else accessed the database while it was exposed to the internet. Jayaseelan also would not say if Dexiga has notified WinStar of the security lapse, or if Dexiga would inform affected customers that their information was exposed. It is not immediately known how many individuals had personal data exposed by the data spill.
"We are further investigating the incident, continue to monitor our IT systems, and will take necessary future actions accordingly," Dexiga said in response.
WinStar's general manager Jack Parkinson did not respond to TechCrunch's emails requesting comment.
Read more on TechCrunch: