A database that was leaking confidential customer information to the public was protected by the firm that creates the mobile app for the massive WinStar casino resort.
The Oklahoma-based WinStar claims to be the largest casino in the world in terms of square footage. Along with self-service choices for hotel stays, rewards points and loyalty perks, and casino winnings, the casino and hotel resort also provides its customers with an app called My WinStar.
A software business based in Nevada named Dexiga is the developer of the app.
The startup exposed one of its logging databases to the public without a password, meaning that anyone with access to its public IP address may use a web browser to access the WinStar customer data held there.
Following notification of the security breach, Dexiga removed the database off the internet.
The database containing personal information was discovered by Anurag Sen, a good-faith security researcher with a talent for finding accidentally exposed sensitive data on the internet, however it wasn’t immediately clear who the database belonged to.
According to Sen, the personal information contained home addresses, phone numbers, email addresses, and complete names. Sen gave access to the exposed database’s details in order to help identify the database’s owner and reveal the security flaw.
Investigators looked through some of the leaked material and confirmed Sen’s conclusions. Investigators discovered that the IP address of the user’s device and the gender of the individual were also included in the database.
Though some sensitive information, such a person’s date of birth, was deleted and replaced with asterisks, none of the data was encrypted.
An internal user account and password belonging to Dexiga founder Rajini Jayaseelan were discovered during an assessment of the disclosed material.
According to Dexiga’s website, the My WinStar app is powered by its tech platform.
Using a Investigators’ -controlled phone number, download and install the My WinStar app on an Android handset to verify the origin of the alleged spill. The fact that the phone number was immediately visible in the publicly accessible database proved that it was connected to the My WinStar app.
Jayaseelan was contacted by the investigators, who also provided the IP address of the exposed database. Not long later, the database was no longer available.
