In June, 2025, Shubs Shah and I discovered a vulnerability in the online poker website ClubWPT Gold which would have allowed an attacker to fully access the core back office application that is used for all administrative site functionality. This vulnerability could have been used to retrieve drivers licenses, passport numbers, IP addresses, transactions, game history, and more.
After reporting the vulnerability, ClubWPT thoroughly patched the issue and confirmed that it had never been exploited maliciously. The host is now inaccessible, and we worked with them to confirm that it is no longer reproducible.
Introduction
For the last few DEF CONs, my guilty pleasure has been sneaking away to the Aria poker room and playing No Limit Holdem until 3 or 4 in the morning. This habit was never really a problem as there wasn't a casino within 50 miles of where I lived, but when I learned that the World Poker Tour had created an online poker website that was legal in the US (under sweepstakes laws), I got super curious and registered.
After signing up, I was able to purchase and cash out "sweep coins" (credits that could be used to play on the website) using a credit card. Pretty soon I was playing (mostly losing) in online tournaments, and got pretty sucked into the online gambling world.
Eventually I got curious on how the actual ClubWPT Gold infrastructure worked and started poking around on the website.
A Weird Domain in the JavaScript
While playing poker on the ClubWPT Gold website, I noticed a strange URL saved to a variable in the JavaScript's environment variables:
VITE_URL_AMOE_CODE:"https://apigate.clubwpt.liuxinyi1.cn/amoeserver"
This URL variable was odd, because there were no other references in the JavaScript with the "liuxinyi1.cn" root domain, nor any code which actually used the variable. It was also strange that it was a Chinese domain, given that ClubWPT Gold was a US company.
... continue reading