The mobile app for the 'world's biggest casino' had some major security flaws

An abstract image of a cloud raining data.

(Image credit: Pixabay)

The mobile app for the “world’s biggest casino” was sending customers’ private data to a database that was sitting on the web without a password, available for anyone who knew where to look.

The My WinStar app was designed as a complementary app for people visiting the WinStar casino and hotel resort in Oklahoma, US, known for being the largest casino in terms of square footage anywhere in the world.

Customers could use the app to access different self-service options while staying at the hotel, redeem rewards, loyalty benefits, and even casino winnings.

Publicly available invormation, or sensitive data?

The database was initially discovered by a security researcher Anurag Sen, who also found an exposed email server hosted on Azure that belonged to the US Government, back in February 2023, as well as an Amazon Prime database in October 2022. In all those cases, as well as in this one, Sen did the same thing - tip off TechCrunch on his findings, which later helped him identify the database’s owner.

In this case, as TechCrunch was going through the database to confirm its authenticity, it found data belonging to Rajini Jayaseelan, founder of Dexiga, the tech startup that develops and maintains My WinStar. This made the researchers sign up on the My WinStar app and lo and behold - the data immediately appeared in the exposed database, confirming its owner.

Commenting on the findings, Jayaseelan said Dexiga only kept “publicly available information” in that database, and that it held no sensitive data. However, the file contained people’s full names, phone numbers, email addresses, as well as physical addresses.

Soon after the discovery, the company plugged the hole and secured the database.

There is no telling how long the database sat there unprotected, but rolling daily logs dated back to January 26, at the time it was secured, TechCrunch confirmed. It is also left unconfirmed if anyone managed to access it before, or not.

“We are further investigating the incident, continue to monitor our IT systems, and will take necessary future actions accordingly,” Dexiga noted in response.

More from TechRadar Pro

A US government email server was found without any password security
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.