The startup that develops the phone app for casino resort giant WinStar has secured a public database that was leaking customers' personal information onto the open web.
Oklahoma-based WinStar bills itself as “the world's largest casino” by square foot. The casino and hotel resort also offers an app called My WinStar. The app allows guests to access self-service options, reward points and loyalty benefits, and casino winnings during their hotel stay.
The app was developed by a Nevada software startup called Dexiga.
The startup left one of its log databases on the internet without a password, so anyone with the public IP address can access WinStar customer data stored internally using just a web browser. Now it looks like this.
Dexiga took its database offline after TechCrunch alerted the company to the security flaw.
Screenshot of the My WinStar app. Image credits: Google Play (screenshot)
Anurag SenAn honest security researcher with a knack for discovering sensitive data accidentally published on the Internet discovers a database containing personal information, but it was initially unclear who the database belonged to.
Sen said the personal data included names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch in an effort to identify the owner and uncover security flaws.
TechCrunch examined some of the exposed data and verified Sen's findings. According to a TechCrunch investigation, the database also included the gender of the individual and the IP address of the user's device.
The data was not encrypted, but some sensitive data, such as a person's date of birth, was redacted and replaced with asterisks.
TechCrunch investigated the exposed data and found internal user accounts and passwords associated with Dexiga founder Rajini Jayaseelan.
Dexiga's website states that its technology platform powers the My WinStar app.
To confirm the source of the suspected breach, TechCrunch downloaded and installed the My WinStar app on an Android device and signed up using a TechCrunch-managed phone number. The phone number instantly appeared in the public database, confirming that the database was linked to the My WinStar app.
TechCrunch contacted Jayaseelan and shared the IP address of the exposed database. The database became inaccessible shortly thereafter.
Jayaseelan claimed in an email that Dexiga had secured the database, but that it contained “public information” and that no sensitive data had been leaked.
Dexiga said the incident stemmed from a log migration in January. Dexiga did not provide a specific date when the database was published. The exposed database contained rolling daily logs dating back to January 26th, at the time he was secured.
Jayaseelan did not say whether Dexiga has access logs or other technical means to determine whether someone else accessed the database while it was exposed to the Internet. . Jayaseelan also did not say whether Dexiga notified WinStar of the security lapse or whether Dexiga would notify affected customers that their information had been compromised. It was not immediately clear how many people had their personal data exposed in the data breach.
In response, Dexiga said, “We will further investigate the incident, continue to monitor our IT systems, and take any necessary measures in the future.''
WinStar general manager Jack Parkinson did not respond to TechCrunch's email requesting comment.
Read more on TechCrunch: