The mobile app for the 'world's biggest casino' had some major security flaws

Customers could use the app to access different self-service options while staying at the hotel, redeem rewards, loyalty benefits, and even casino winnings. 

Publicly available invormation, or sensitive data?

The database was initially discovered by a security researcher Anurag Sen, who also found an exposed email server hosted on Azure that belonged to the US Government, back in February 2023, as well as an Amazon Prime database in October 2022. In all those cases, as well as in this one, Sen did the same thing - tip off TechCrunch on his findings, which later helped him identify the database’s owner. 

In this case, as TechCrunch was going through the database to confirm its authenticity, it found data belonging to Rajini Jayaseelan, founder of Dexiga, the tech startup that develops and maintains My WinStar. This made the researchers sign up on the My WinStar app and lo and behold - the data immediately appeared in the exposed database, confirming its owner.

Commenting on the findings, Jayaseelan said Dexiga only kept “publicly available information” in that database, and that it held no sensitive data. However, the file contained people’s full names, phone numbers, email addresses, as well as physical addresses.

Soon after the discovery, the company plugged the hole and secured the database.

There is no telling how long the database sat there unprotected, but rolling daily logs dated back to January 26, at the time it was secured, TechCrunch confirmed. It is also left unconfirmed if anyone managed to access it before, or not. 

“We are further investigating the incident, continue to monitor our IT systems, and will take necessary future actions accordingly,” Dexiga noted in response.

More from TechRadar Pro

• A US government email server was found without any password security
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now