Greenstein Exposes Security Flaw in Open Face Chinese Poker App, Warns of Cheats
A February filled so far with tales of petty cheating and scammery continued on Friday when prominent Team PokerStars Pro Barry Greenstein posted on his Stars blog the news that a popular open-faced Chinese poker app used by players to gamble it interactively contains a security flaw a mile wide, bringing into question the results of players who’ve recently rung up big wins in this informal play among many of the game’s most well-known players.
Greenstein cited his experience after following through on his desire to learn the nuances of open-faced Chinese, a variation on traditional Chinese poker in which players receive only five cards to start, instead of all 13.
For those of our readers unfamiliar with Chinese Poker, here’s the basics: Each player traditionally receives 13 cards, which the player examines all at once, then sorts into three poker hands of 5, 5 and 3 cards, called the bottom, middle and top. The bottom must always outrank the middle in terms of a poker hand, and the middle must outrank the top, and it’s very easy to learn.
In open-faced Chinese, the players receive only their first five cards, and must choose to apportion them to their projected top, middle or bottom hands, then receive the next eight cards one at a time and build up their hands as they go, while trying not to foul (getting hands out of bottom-middle-top order) or missing the big hands the remaining cards might help to complete. Open-faced Chinese thus involves a ton more missing information, whereas in traditional Chinese all 13 cards in a player’s hand to be used are completely known to start.
Enter Barry’s tale, in which he quickly progressed from $10 a point (winning a top, middle or bottom in a showdown against another player) to $50 a point, all using an interactive iPhone app called Open Face Chinese Poker that sells for $6.99 and appears to be the popular app of choice for players who want to do a little OFC playing on the side. The app doesn’t actually allow real-money wagering, so the players have to play for points and settle up themselves, on the honor system.
But poker players being poker players, not everyone is so honorable. Barry had concerns after playing a well-known, profitable player, and watching that player complete hand after hand on the 13th card, as if he knew what cards were coming. After a point, Barry started keeping count, and in 14 hands, his unnamed opponent hit the key card on Card #13 in 7 of 14 instance. Seven of 14 might sound like a 50/50 proposition, but it was most definitely not when you realize that these were probably one- and two-outers, as Barry’s tale relates.
Greenstein does have resources, however, and after calling it quits on the session, he asked an unnamed nephew with programming experience to look at the app and see if it could somehow be used to cheat. Greenstein’s nephew quickly determined that the app — designed as a play-money entertainment only — was not secure in how it transmitted the randomly-generated cards, and that a person with programming knowledge could determine what all 13 of his cards would be in advance.
This meant the techie person would be playing regular Chinese while his unknowing opponent would be playing open-faced. That’s a HUGE advantage. You’d lose a few hands here and there when you run into the occasional awful hand, but overall, you’d win big. I know enough about Chinese to play it, and I’m sure that with this advantage, I’d crush any player in the world at the game. That’s how big an edge it is.
So Barry posted his findings on his PokerStars blog, where he knew the word would quickly spread. Barry also chose to name neither the player involved nor the unsecure app in question, though the latter should be named. His screen shot in the blog confirms the software in use was the “Chinese Open Face Poker” app by ChPkApp, LLC, available in the iTunes store, and he reported that his nephew already reported the security “flaw” to the app’s developers.
Here’s Barry’s screen grab:
And a shot from the home page for the Open Face Chinese Poker app:
Same graphics, same program. It’s the ChPkApp LLC software.
As for the security hole, I’m not sure this can be described as a flaw, per se. Nor does Barry. As he put it:
My nephew got in touch with the app’s programmers to tell them what they have to do to fix their app. The Apple documentation actually explains how to make an app secure, but when these programmers wrote this Open-Face Chinese Poker app, they didn’t know people were going to be playing for lots of money using it. And so they didn’t write it in a secure way, because they thought it was just going to be a fun game that people were going to play for free. So it’s not even really their fault.
It’s indeed not their fault when people use a product for a purpose beyond its original design.
Which brings up another question. Why didn’t Barry name the pro or pros who he clearly suspected of cheating him?
One answer involves the “unclean hands” doctrine — both Barry and his unnamed foe were complicit in using the software for a gambling purpose beyond the software’s original scope. Beyond that, the security flaw uncovered by Greenstein’s nephew might even be able to be defended in a “legal” sense by the player who cheated Barry, who might claim that the tools were there to see all the cards, and it was Barry’s fault for not being technically savvy enough to know about them.
There are lots and lots of young online poker players who think that way, and honor and ethics and the concept of a gambler’s code don’t really mean squat to them. Just another form of a cheat code, right?
So without naming names, Barry’s done what one would expect him to do — he’s effectively nuked the iPhone app in question, which will quickly fall out of favor for this illicit OFC real-money gambling use, unless and until its developers decide to add the needed security, which they may or may not do.
Barry also may figure that the poker world itself will take care of quickly outing those players who have shown unusual profits in beating opponents using this app. A couple of names have already surfaced as possibilities, but they won’t be mentioned here without convincing evidence of shenanigans.
Greenstein might have been taken for a few thousand, but there’s little doubt some quiet rumblings are underway among poker’s inner circles. Will it slow down the open-faced Chinese craze? Maybe. Possibly. It all appears to have been a giant electronic angle shot whose days are all but over. And that’s what Barry Greenstein really set out to accomplish.
COMMENTS