1. Welcome to VegasMessageBoard
    It appears you are visiting our community as a guest.
    In order to view full-size images, participate in discussions, vote in polls, etc, you will need to Log in or Register.

Banned from MyVegas for reporting a possible security issue

Discussion in 'MyVegas' started by bboyen, Nov 16, 2014.

Thread Status:
Not open for further replies.
  1. bboyen

    bboyen Newbie

    Joined:
    Nov 16, 2014
    Messages:
    7
    This will probably be a long post, and for that, I apologize in advance. I hope this post isn't in vain and isn't immediately censored or deleted...I'm trying to be 100% honest here and also not try to offend anyone, PlayStudios/MyVegas included. I'm simply trying to resolve a very unpleasant situation here after playing and absolutely loving the concept of MyVegas for years. I started playing literally right when the game came out on Facebook (when the game was still in early beta) and have thoroughly supported it. I got multiple family members involved with the game. Last year during a family trip to Vegas, I even recommended MyVegas to multiple people I randomly met.

    I am a programmer/QA analyst/web security expert. For my job, sometimes I am required to debug a running process by reading the memory to find out what is wrong with a particular program my company is working on. In this instance, I was debugging a Flash game that we developed here at the company I work for. To do so, I launched my Firefox browser and used my debugging tools to search for a bit of text in the Adobe Flash Player process that is running. I NEVER had to hack into, look at, or do anything with the code from MyVegas. While I was doing this, I also had MyVegas opened in Firefox in another tab so I could collect my chips/loyalty points every once in a while. In searching the running Flash process for the issue with my code, I found a string of characters that seemed EXCEPTIONALLY weird. I'm not going into any specifics here as to what I found, as that really doesn't matter at this point, but I found it very, very peculiar to the point that I needed to make sure it wasn't something coming from our own internal game that I was working on. I closed the MyVegas tab in Firefox and noticed that this particular bit of information in memory then immediately disappeared. This proved that the issue was with MyVegas and NOT with the game I was debugging for my job.

    I'm not one to exploit the "system" in any way and have always followed the rules. Being what I THOUGHT was a good citizen, I reported the issue to MyVegas staff. Other people may not have done the same thing. They could have, perhaps, exploited said issue or posted about the issue on a forum such as this one. Again, due to my love for the game, I just went straight to MyVegas to report the issue. They initially responded and thanked me for the report. Then...two months later, I realize that not only was I banned from completing new reward purchases, but they ALSO cancelled all of the rewards I had claimed for my family's upcoming trip to Vegas. We literally PLANNED our schedule out around the rewards and now we are, unfortunately, semi-screwed in regards to plans. To make it worse, they even banned and did the same thing to THREE other family members who had nothing to do with me reporting the issue to PlayStudios.

    I'm absolutely astonished that we cannot even get a response from MyVegas/Playstudios. Emails go unanswered. A family member has also attempted to contact them and even called a few times, being told every time that someone would call back, but they never do. The only response I heard back was from a fellow Facebook member who is an admin of a huge MyVegas group. He contacted an employee at Playstudios on my behalf (no reason to name said employee, that's irrelevant to the situation). Again, I was never contacted directly as to why I was banned or given any info at all...I'm effectively ignored 100%, and I really find it disheartening that it takes me asking another Facebook user to ask MyVegas/PlayStudios and that's the only way I ever hear ANYTHING at all. Here's what was relayed back to me by someone that actually got a response from that Playstudios employee:

    "Basically, they stated that the vulnerability you found in their code wouldn't have been found unless you were playing around with their code. This action is a direct violation of PS TOS and by coming forward, they saw this as an admission of guilt. As such, they have banned you from redeeming rewards and this action cannot be reversed"

    I never "played around" with their code. Their logic is invalid. Again, I was debugging the running Flash Player process while doing my work that I make a living off of. It is not against their terms of service to happen upon something that seems odd enough that I felt it warranted being reported to them, especially when I was not targeting their "code" at all. To make an analogy here, albeit a bad one...but still as close as I can explain here...it's as if someone walking their dog came across a crime scene and called the police. The police then immediately arrest and prosecute said person just for reporting what they HAPPENED to come across, even though they did nothing wrong. They didn't go out searching for a crime scene, it just came about during daily routines.

    If I was somehow exploiting their systems or doing anything wrong, why would I purchase coins, too? I have done so on numerous occasions in the past. I tried asking for refunds for those purchases but, again, emails go unanswered.

    This entire fiasco really has put a horrible damper on the mood for our upcoming Vegas trip. We leave on the 22nd and I have over 1.1 million loyalty points at the moment that I've been saving up for years for this trip...yet the rewards were cancelled and I can't claim new ones. Having to re-plan out everything is becoming an absolute nightmare, just like this entire scenario has been.

    Does anyone have any suggestions here? Apparently doing the right thing is frowned upon these days.
     
  2. Readingfanman

    Readingfanman Low-Roller

    Joined:
    Oct 29, 2013
    Messages:
    361
    Location:
    London, UK
    Trips to Las Vegas:
    3
    I can only assume the exploit was something along the lines of being able to re-produce LP's or chips, I can't see another reason they would want to ban you entirely from the game.

    I think the problem you have is that PlayStudios own the game and the code, so your police analogy doesn't work so well, as they can pick and choose exactly who they want to play the game.

    I think without specifics, it's tough to see why they have banned you. I can't see a way around it though in all fairness, if they've banned you, there's not a lot you can do currently to get the LP's back.
     
    NFL Championship Weekend
  3. bardolator

    bardolator Lifelong Low Roller

    Joined:
    Mar 30, 2005
    Messages:
    1,430
    Location:
    Green, Ohio
    I'm confused. Why would this board wish to censor your post?
     
  4. bboyen

    bboyen Newbie

    Joined:
    Nov 16, 2014
    Messages:
    7
    Nope, it had NOTHING to do with reproducing loyalty points or chips. Absolutely nothing at all. Like I said in the original post, I have bought chips on a few occasions and if I was able to create chips or loyalty points out of thin air, why would I be paying for them?

    For the sake of being civil, even after the way they treated me by banning not only myself but also my entire family, I still am not going to post exactly what I found. Even after this entire fiasco, I'm still attempting to do the right thing, and I really wish I knew why. It would be so easy to just post information about what I reported to them, but that was never my intention to begin with, I was just trying to help them out.

    The only reason I thought I may be censored here is because I didn't know if people who work at PlayStudios actually visit this forum and may ask for this to be removed, etc. Mods/admins of forums I've been to have been on complete opposite ends of the spectrum at times, depending on the forum. I was merely stating that after writing out that long post, I just hoped that the topic wasn't instantly deleted or locked.

    When they ban you, they just take away your ability to buy rewards and remove your rewards. I have 1.1 million+ loyalty points after years of gameplay. I am level 518 and it has taken ages to reach that point. I can still play the games, but guess what, I just can't redeem rewards. So, if I WERE to play, they would still be making advertising revenue off of me based off of clicks (I never click ads anyways, just mentioning this as an example) or ad impressions while I play. So, they ban me for effectively no reason, yet they want the money so bad that they keep it open so that I can still play and they make perhaps a few extra pennies a month. I really don't understand.

    If PlayStudios is up on their game, they SHOULD have a logging system in place that lets them see every single transaction that occurs that issues loyalty points or chips in-game. That would be on the server side. They could compare my total chips and loyalty points to the logs to verify I never exploited anything that would have given me a gain on others. It seems to me that they are just punishing me as...I don't know, a way to save money? Who knows if they have done this to others under similar or other circumstances and we just don't hear about it?

    It's really NOT cool for a company that I have supported for years to do this type of thing. The funny part is, Facebook itself has a "Bug Bounty" program. It's pretty cool. If people find issues within Facebook's code itself, Facebook will actually PAY you a MINIMUM of $500. There's no maximum on what they pay and I saw one report of someone receiving $33,000 for reporting something to Facebook. This does not apply to third party apps such as MyVegas, however. You would think they would be appreciative of my report to them, and don't get me wrong, I never asked them for money or chips or anything...I was just using Facebook's program as an example as to how what they have done is just wrong.

    It gives the COMPLETE wrong idea when you ban someone for reporting an issue. That just sends a message that people should keep any bugs or exploits they find to themselves for risk of being banned. Overall, this hurts the community as a whole, and not just myself only.
     
  5. zignerlv

    zignerlv Low-Roller

    Joined:
    Aug 29, 2006
    Messages:
    436
    Trips to Las Vegas:
    40
    I don't agree with what they did but I would say a case could be made that you were in violation of any/all of items 5,6 and 8 in this section of their terms

    5 Access, tamper with, or use non-public areas of the Site or Service, PLAYSTUDIOS computer systems, or the computer systems of our providers and partners;

    They could make a case that viewing memory is a non public area of the site. I am not saying I agree. Just that memory is not meant to be viewed by the public. They could say the public areas of the site (in regards to the app) are the application user interface (the parts of the app that all of us see). So accessing the memory, is accessing a non public area of the app. I know that playing that game is part of the site or service.

    6 Attempt to probe, scan, or test the vulnerability of any PLAYSTUDIOS system or network or breach any security or authentication measures; Avoid, bypass, remove, deactivate, impair, descramble or otherwise circumvent any technological measure implemented by PLAYSTUDIOS or any of our providers or any other third party (including another user) to protect the Site, Service or any part thereof;

    Viewing the memory can be seen as probing and/or scanning, even if your intentions were not to use the information to hack. There is no exception to say "unless you are doing it to help us"

    8 Attempt to use the Service on or through any platform or service that is not authorized by PLAYSTUDIOS; - See more at: http://myvegas.com/terms-service-myvegas#sthash.6wFs8ivy.dpuf

    A case could be made that your viewing the myvegas app memory through your debugging tool as a violation of rule 8. Whether it was accidental or purposeful doesn't matter according to the term.

    I know arguments for/against you violating each of these could be made. The problem is, it's their opinion that they base their bans on, not a public vote.

    I guess, in hindsight, you would have been better off by contacting them with this information and not identifying yourself or giving them a way to identity you (IP address, etc). Hindsight is 20/20
     
    Last edited: Nov 17, 2014
  6. bubbakitty

    bubbakitty native Texan; born and bred.

    Joined:
    Feb 17, 2003
    Messages:
    1,795
    Location:
    Texas
    Trips to Las Vegas:
    60
    You may be absolutely correct in both your stance toward the site and feelings of mistreatment. (upon first reading it almost appears you are in the position of employee and were rebuffed by advising upper management there is a problem and when arriving for work all the locks on the doors have been changed denying you access)

    I would not center my life around it however. Continue to attempt an amicable resolution as it seems from your presentation(?) you were wronged, but it is not life changing (in my eyes); it's a game. You earn possible rewards. At present you are not allowed to take advantage of it but that could change.

    I tried MyVegas for about an hour and it just wasn't my thing. Doesn't mean it isn't of value or not your thing. I wish you luck in getting your status rectified but again there are so many bigger things in life; don't let it drag you down too far. I do think you have the right to protest their action however.
     
    1st Super Bowl DT...Panthers / Browns no doubt
  7. bboyen

    bboyen Newbie

    Joined:
    Nov 16, 2014
    Messages:
    7
    I fully understand your point. It's just crazy when good deeds come back and turn around into something just incomprehensible. Even worse that they won't even directly tell me the

    I had NO intention to view their memory. I just happened to be addicted to the game and had it open in another tab while I worked. I guess that is nobody's fault but my own...shouldn't attempt to work and play at the same time.

    At the root of the issue here, I also think they were embarrassed by what I found, as it actually made them look pretty bad as a company...that's why I reported it. It makes me wonder if perhaps a programmer there got in trouble or something for what I found. This may be said programmer's way to "get back at me" for something he or she did themselves? I really don't know at this point.
     
  8. bboyen

    bboyen Newbie

    Joined:
    Nov 16, 2014
    Messages:
    7
    Oh, I'm not centering my life around it. I just want others to understand how I was treated and yes, this is definitely a way to protest their treatment of me. I mean come on, they won't even respond to me at all...I never got even an email stating I was banned. It just happened.

    If I was trying to hurt the company in any way, I would just post what I had found. But even after all of this, I still have too much integrity to do something that low, even after the way I have been treated.
     
  9. bswim

    bswim High-Roller

    Joined:
    Jan 22, 2013
    Messages:
    898
    Location:
    Western WA
    Trips to Las Vegas:
    7
    This doesn't surprise me. A year or two ago on that large FB group there was an individual who hinted at how locals can circumvent the ban on locals acquiring rewards.

    Playstudios never told him that he was banned until sometime later, in fact he purchased chips a couple times, he didn't know he had a problem until he went to redeem some LP's in the game, then suddenly there was a problem. He was still able to play the game and buy chips though. Pretty shady.
     
  10. ams722

    ams722 Side Bet Shunner

    Joined:
    Aug 27, 2012
    Messages:
    1,414
    Location:
    Pergatory
    Trips to Las Vegas:
    15
    Basically, once you're banned, you're banned. I've never heard of anyone being un-banned.

    I have heard several stories of them just ignoring those people who were banned, just like they did to you.

    PS is only concerned about the money. If anyone "threatens" (I'm not saying that's what you did) their bottom line, they're gone.

    I would LOVE to know what you found. lol
     
  11. zignerlv

    zignerlv Low-Roller

    Joined:
    Aug 29, 2006
    Messages:
    436
    Trips to Las Vegas:
    40
    If PlayStudios is up on their game, they SHOULD have a logging system in place that lets them see every single transaction that occurs that issues loyalty points or chips in-game. That would be on the server side. They could compare my total chips and loyalty points to the logs to verify I never exploited anything that would have given me a gain on others.

    You are in this business. How many many hours would it take to do this, going through logs? 2? 3? Do you think management wants to spend $200+ in fully loaded (inc benefits) in labor costs to verify that you haven't used this information to your advantage? You only mention one thing for them needing to look for (the LP issue). I am sure there are other possibilities. Maybe its possible to alter memory to have more wins on your slot pulls. How many logs and time would they need to take to verify whether you did that? It's much easier to freeze the account. In their view you violated the TOS. Why would they want to spend $ to view your situation to keep your account active, if in their view your violated the terms?

    The bottom line is they see you as a potential threat, and it's a better business decision for them to ban you, rather to spend $100's in labor (taking time away from other work) to prove that you haven't done anything malicious. I don't support that view, but I understand it.

    I
    Your facebook example is valid for facebook, but not a game or a contest. Do you know of any contest or game app that awards prizes that has a bug finding program? I bet not. The reason is easily understood.


    That just sends a message that people should keep any bugs or exploits they find to themselves for risk of being banned. Overall, this hurts the community as a whole, and not just myself only


    Actually, to me the message it sends is, "it's our app, we don't want anyone even attempting to look at how it works, or debugging it for us, and
    we will ban anyone that does so."

    And, as far as your claim of banning due to finding bugs. Let's be reasonable. They aren't banning anyone for reporting bugs that are seen from a typical end users viewpoint are they? If someone reports the spin button doesn't work if you press it right after clicking on your balance (for example) do you think they would really ban someone for that? No of course not, its HOW you went about finding the bug, not just the fact that your reported a bug that led them to act.
     
    Last edited: Nov 17, 2014
  12. bboyen

    bboyen Newbie

    Joined:
    Nov 16, 2014
    Messages:
    7
    Wow, you are right. That is incredibly shady, I didn't even think about that. They never informed me of the ban, like I said, but I never even thought about the fact that I could have purchased more chips after the "ban" without even knowing that I would be unable to purchase rewards. Just...wow. Wow.
     
  13. neminem

    neminem Tourist

    Joined:
    Sep 23, 2014
    Messages:
    89
    So, that is pretty awful, but I do have to play semi-devil's advocate: you're a security professional? Haven't you heard of this? I mean, at least you only got banned, and aren't in jail. Every couple years I hear of some guy who accidentally stumbled across some major security flaw in some big system, immediately did the right thing and reported it to the people in charge, and for their trouble, got all kinds of sued and/or prosecuted. That is why, unless companies have official, legal security hole bounty systems, I would always report any security bugs I happened to have found, extremely anonymously. In your shoes, I'd still fight it to the bitter end, but at the same time, you could kinda have seen that coming. (Still sucks though.)

    That said, it does make me also kind of scared hearing that they will ban you without even telling you... kinda makes me want to stop playing until I've redeemed something, just in case I did something without knowing it. They should really at least tell you. I mean, they definitely have your email... :(

    edit:
    I don't see any contests with bug bounties, no. That said, I do see several major financial-related services that do, including paypal. If I happened to be a black hat hacker, given the choice, do you think I'd hypothetically rather mess with MyVegas and get illegitimate LP, or mess with Paypal, and get illegitimate actual US currency? :p (Just to be clear, I am in no way a black hat, or indeed, any variety of hacker. I haven't ever actually been in the situation where I had to decide to report something anonymously or not, because I've never found anything like that, while looking or by accident, I just read about it in tech news periodically.)
     
    Last edited: Nov 17, 2014
  14. wanker751

    wanker751 Dutch Rudder Enthusiast

    Joined:
    Sep 23, 2014
    Messages:
    4,710
    Location:
    Chicago
    Trips to Las Vegas:
    13
    One suggestion on refunds with your chip purchases, try to dispute the charges with your CC company maybe? Sorry this is the only suggest I can come up with.
     
    Downtown - Wanker Returns after baby!
    Wanker Returns After Baby
  15. undathesea

    undathesea Grandissimo

    Joined:
    Feb 26, 2013
    Messages:
    1,664
    Location:
    Washington D.C.
    Trips to Las Vegas:
    20
    You had unfair advantage over the game if you found the vulnerability. Regardless of what your true intentions were, they don't know you and you could have been up to something malicious.

    Just like the guy you don't know who walks in your front door to tell you that your front door is unlocked.

    Sounds to me like you should let it go and make new plans for Vegas.

    The bright side of all of this is now your vacation to Vegas won't be driven by rewards from MyVegas. You stay where you want and do what you want. Sounds like they gave you some freedom.
     
  16. neminem

    neminem Tourist

    Joined:
    Sep 23, 2014
    Messages:
    89
    Personally, if my door was unlocked, I would love if someone would knock on my door and politely let me know that. I wouldn't want someone to walk in while I wasn't home and leave a note saying that in my underwear drawer, but that isn't what he did. What he did was akin to knocking, and that sort of thing should be rewarded. I do say "should", though, rather than "is", because it usually isn't.
     
  17. undathesea

    undathesea Grandissimo

    Joined:
    Feb 26, 2013
    Messages:
    1,664
    Location:
    Washington D.C.
    Trips to Las Vegas:
    20
    Not exactly. But, let's suppose he did knock for a second.

    Why was he checking to see that the door was unlocked in the first place and then feel the need to tell you? You don't know the OP and he could have something malicious in mind.

    That's the main the point I'm trying to make. There's no way of knowing the true intent behind the OPs actions, so they banned him.
     
  18. Funkhouser

    Funkhouser In Charge of the Big Door

    Joined:
    Aug 20, 2011
    Messages:
    2,105
    Location:
    Cincinnatti, OH
    Trips to Las Vegas:
    45
    Application providers where you are consuming software as a service have rights to define terms of license and use. So you are subject to whatever crap they want to make up fair or unfair.
    The only grounds I think you have is in the case of code that executes on your system in the browser, in Java environment on your system, or application activities that write data to your local system.

    In this case you could imply that by scanning the code executing on your pc, you are taking reasonable actions to protect your system or local information from anything that could pose a risk to your personal information
    or data.
     
  19. bboyen

    bboyen Newbie

    Joined:
    Nov 16, 2014
    Messages:
    7
    If I had malicious intent, why would I have reported the issue? That's the thing here, too. You use the word intent. I had NO INTENT to even access what I was able to see. It was happenstance. If this was a court of law, they'd have to show I actually had intent for me to even be "guilty" of this. I was working on something completely separate for my own work. I guess it is my own fault for trying to have MyVegas open in a separate tab at the same time as working. Adobe Flash keeps all of its data in that same single process on your computer. If I'm debugging it for my own work, it will unfortunately show search results from other running Flash programs if, say, you searched the memory for something specific.
     
  20. Ty

    Ty ?

    Joined:
    Sep 2, 2013
    Messages:
    2,385
    Location:
    Mid Ga
    Trips to Las Vegas:
    22
    He kinda checked the wrong door by accident.
     
    Christmas Trip. Sam's Town & MSS
Tags:
Thread Status:
Not open for further replies.