Hacking the World Poker Tour: Inside Clubwpt Gold's Back Office

Posted2 months agoActive2 months ago

notmine1337

38 points

10 comments

samcurry.netTechstory

calmmixed

Debate

20/100

SecurityVulnerability DisclosureOnline Gaming

Key topics

Security

Vulnerability Disclosure

Online Gaming

The article details how the author discovered and reported a security vulnerability in the World Poker Tour's ClubWPT Gold back office, highlighting both the vulnerability and the responsible disclosure process.

Snapshot generated from the HN discussion

Discussion Activity

Moderate engagement

First comment

Peak period

72-84h

Avg / period

3.3

Key moments

01Story posted
Oct 26, 2025 at 7:48 AM EDT
2 months ago
Step 01
02First comment
Oct 29, 2025 at 2:55 PM EDT
3d after posting
Step 02
03Peak activity
7 comments in 72-84h
Hottest window of the conversation
Step 03
04Latest activity
Oct 31, 2025 at 8:07 AM EDT
2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (10 comments)

Showing 10 comments

xraystyle

2 months ago

4 replies

What's this 'subs' command being run to enumerate subdomains?

perrysmith

2 months ago

1 reply

I was wondering the same thing. Ran to my Kali instance and tried it out lol

xraystyle

2 months ago

So is it a thing in security distros? Is there a github for it?

bauruine

2 months ago

2 replies

Not sure what it is but certificate transparency logs are a goldmine for this.

https://crt.sh/?q=liuxinyi1.cn

zenmac

2 months ago

Oh got this"

"CONTEXT: PL/pgSQL function web_apis(text,text[],text[]) line 4671 at FOR over EXECUTE statement ERROR: server conn crashed?"

May be pushing a bit too hard on their postgres-rest ?

xraystyle

2 months ago

That's interesting. Suppose it doesn't do you any good if you're looking for subdomains that don't have certs though.

jweather

2 months ago

Not familiar with that one, but two that come with Kali use search engines to locate subdomains. Your DNS server would have to be pretty misconfigured to allow zone transfers to the general public, which would be the only way to discover a truly "unlisted" subdomain.

gs17

2 months ago

I suspect it's a bespoke script. The first use outputs "[domain] -> [ip]", the second use outputs "[domain] [http code] [?] [size?] [title] [info]".

uncivilized

2 months ago

This was a really great read. Thanks for sharing.

greatgib

2 months ago

And the biggest question that all of that raises and stays unaddressed is how a US official and regulated gambling website is developped and probably operated directly from China?

Meaning all PII (name, address , id scans, ip, ...) are available to Chinese individuals.

The argument that the dev website is just developped in China doesn't hold as you can see that the prod admin panel is also partially in Chinese.

And what to say about the admin that is really using 123456 as password in production...

View full discussion on Hacker News

ID: 45710981Type: storyLast synced: 11/20/2025, 1:23:53 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN