October 29, 2025
All-in on .env
Hacking the World Poker Tour: Inside ClubWPT Gold's Back Office
Poker site’s secret admin door sparks China-domain drama
TLDR: Researchers found a back office flaw at ClubWPT Gold that could expose sensitive player data; it’s now patched and reportedly never abused. Comments split between alarm over a Chinese-linked domain and chill “outsourced dev” explanations, with jokes, tool questions, and praise for quick fixes showing why this matters to players.
Poker fans didn’t expect a late-night tournament to turn into a cybersecurity cliffhanger, but that’s what happened when two researchers spotted a strange Chinese domain hard-coded in ClubWPT Gold’s site. Following the breadcrumb trail, they found an exposed admin page and a file of environment “secrets.” They reported it; ClubWPT says it’s patched, the host is down, and there’s no sign of abuse. The community immediately went full tilt: half yelling “why is a US poker site pointing to China?”, half shrugging that outsourced dev and global clouds are normal. Memes flew: “All-in on .env,” “World Password Tour,” and “don’t keep passports behind a login screen.”
Then the practical crowd chimed in. One commenter asked what the mysterious “subs” command was, sparking a mini tutoring session and a bit of gatekeeping spice—“it’s just a subdomain finder” vs. “details matter.” Others mocked the discovery of Alibaba cloud keys that didn’t do anything: “security by vibes.” A calmer majority praised fast patching and transparent disclosure, comparing it to catching a dealer miscount before chips hit the felt. The hot debate remains: harmless dev breadcrumbs or a major red flag? Either way, everyone agrees the stakes—IDs, IPs, and game history—were very real. For context, DEF CON is a hacker conference and sweepstakes sites are legal gaming alternatives in the US.
Key Points
- •In June 2025, a vulnerability in ClubWPT Gold’s back office could have enabled full administrative access and exposure of sensitive user data.
- •The issue was identified after finding a suspicious Chinese-domain URL in the website’s JavaScript environment variables.
- •Subdomain enumeration revealed numerous ClubWPT-related services, including an admin interface at coin-admin.clubwpt.liuxinyi1.cn.
- •Endpoint discovery (ffuf) uncovered unauthenticated access to .env, exposing internal secrets and Alibaba Cloud credentials (which had no permissions).
- •ClubWPT patched the vulnerability, confirmed it was never maliciously exploited, and made the affected host inaccessible and non-reproducible.