[Security] Slumbot accepts illegal actions, allowing user to cheat

ericgjackson / slumbot2019

Implementations of CFR for solving a variety of Holdem-like poker games

MIT License

137 stars 30 forks source link

[Security] Slumbot accepts illegal actions, allowing user to cheat #24

Closed JbCourtois closed 2 years ago

JbCourtois commented 2 years ago

In the "/api/act" entpoint, my agent can input actions like "b400b19999b20000f" and take control of Slumbot betting.

My bot Hackbot exploits this flaw, feel free to remove it from the leaderboard.

ericgjackson commented 2 years ago

Thanks for the bug report. Can you give me more details on how you do this? Do you send the action "b400b19999b20000f" as your initial action preflop when you have the button? Or do you do it postflop?

JbCourtois commented 2 years ago

Yes, I send this action preflop. It works on the button, but also on the big blind after slumbot sends b200.

JbCourtois commented 2 years ago

You can also do weird stuff like adding digits to Slumbot's bets.

Fo exemple, il slumbot sends "b200", you can send "0c" to make it a 2000 bet.

ericgjackson commented 2 years ago

I have pushed a fix for this. Thanks again for the report.