BetVictor accidentally exposed its own internal systems passwords on its website

  • The British betting site admin credentials exposed to the internet.
  • The site caters to around half a million customers who can place bets on soccer, tennis and horse-racing.

Security researchers have discovered that British betting site BetVictor has inadvertently exposed internal administrative logins and plaintext passwords to the internet.

BetVictor boasts of catering to over half a million customers who can place bets on sports such as tennis, soccer and horse-racing. The site is also a partner of Liverpool FC, one of the most popular English premier league football teams.

Admin passwords exposed

According to independent security researcher Chris Hogben, who discovered the breach, the betting site allowed anyone to see confidential data, including admin passwords, simply by browsing the website and searching for the word “admin”.

“With access to any of these systems, it may be possible to access sensitive company information and potentially even user-specific data,” Hogben wrote in his blog. “It should also be noted that this was just one document located within the BetVictor knowledge base. With more extensive searching, further documents may have been discovered containing even more confidential data.”

“With the World Cup taking place at the moment, I'd imagine more people are using betting sites than usual,” Hogben told Motherboard. “Having administrator access so readily available to anyone puts the safety of those users’ details at risk. Who knows what could have been done by a bad actor.”

BetVictor probing the breach

It is still unclear how long the flaw has been live on the site and whether it has been accessed by any malicious actors.

“What we can say is that the information was from an internal help section that was available for our Customer Service Teams in 2015,” BetVictor told Hogben.

The company is yet to specify whether the data was also accessed by any other third-parties.

However, BetVictor claimed that since discovering the breach, it has disabled its help center and blocked external access to any systems. The company said that it is still investigating the details of the attack.