Statement on "Heartbleed Bug"

PokerStars and Full Tilt Poker are aware of the vulnerability in OpenSSL that is being widely described in news reports as the 'Heartbleed Bug'. We can confirm that at no stage were our downloadable clients on either PokerStars or Full Tilt Poker vulnerable to this issue at any time. This applies to both desktop and mobile clients.

All encrypted data travelling between the PokerStars and Full Tilt Poker downloadable clients remained secure. This includes hole cards and relevant gameplay data transmitted from the server to the client (and vice versa). This includes payment information transmitted from the client to the server (and vice versa). This includes player User IDs and player passwords. This includes both real money and play money games that were played on our downloadable clients for both PokerStars and Full Tilt Poker.

The Full Tilt Poker client was not vulnerable because the Full Tilt Poker software did not use the affected versions of OpenSSL. The PokerStars client was not vulnerable because it does not use Transport Layer Security (TLS) which was the vulnerable protocol in the OpenSSL library.

However, until 7 April 2014, when the vulnerability (and fix) became public, our play money social gaming product on Facebook was theoretically vulnerable. We applied the required fix within 24 hours of the public disclosure of the vulnerability, so the product is no longer vulnerable and it is unlikely that anyone took advantage of the vulnerability in this situation. PokerStars does not offer any real money gaming on this product, so this issue only had the potential to affect play money chips.

We will continue to monitor the issue, but we can confirm that this did not affect any of our gaming services offered on our downloadable PokerStars and Full Tilt Poker clients.

14 May 2014 Update: Our earlier statement indicated that the PokerStars client does not use TLS Heartbeats hence tests for the Heartbleed vulnerability at that time showed that PokerStars was not vulnerable to this issue. However, through further testing and research, it was discovered that although the TLS protocol was not used in communication between the client and the server, it was theoretically possible for a hypothetical attacker, under unlikely conditions, to trigger the dormant code on the PokerStars server.

Upon becoming aware of this vulnerability, PokerStars applied the software update to remove it, and has furthermore removed support for the Heartbeat functionality from the server code altogether.

Rob Withington is the Director of Information Security


Rob Withington
@PokerStars in Inside PokerStars