The online poker room Lock Poker is once again making headlines for all the wrong reasons. This time, the issue at hand is a potentially damaging password security flaw. The problem was brought to light on March 11th by a poster on the TwoPlusTwo forums who goes by the screen name deafeye. According to him, someone who is properly motivated would be able to see players’ passwords.

“Lock Poker is tightly integrated with their casino. A while back, that was the only way to deposit for non-Visa card holders in the U.S.,” he began. “After you log into Lock’s casino, right click and hit ‘View Source’ (on the non-flash part). You will be shocked to see your password in plain text inside the source. No encoding, no encryption, just plain text. It also means they store your password in plain text for anyone on the Lock team to see.”

A short time later, deafeye posted the relevant lines of code, which clearly showed entries for “user,” “sPassword,” and “IP.” He had, of course, removed his password, while a forum moderator deleted his screen name and IP address just to be safe.

Forum member “Whitelextown” disputed one point deafeye made, saying that the password is encrypted on Lock’s end and that the site is an “https” site, meaning that the information is, in fact, transmitted securely. According to Whitelextown, the plain text that is seen in the code comes from a “generated cookie” on the player’s computer. He said, however, it is akin to “having your social security number on your license plate.”

Further frustrating deafeye was the fact that he told Lock Poker about this in June of last year, but the issue still did not appear to have been corrected.

A few hours after the original TwoPlusTwo post, Lock Poker Room Manager and well-known player Eric Rizen Lynch, responded, saying, “RTG (the casino side) pushed an update that broke our encryption. We have since pushed a software update out that fixes this. When it was originally reported (what OP in original thread is referring to), we fixed it and then when this new update was pushed, it broke it again.”

Lynch elaborated, “We have taken steps to ensure that future updates won’t cause this to happen again. No one should be seeing it anymore, and if for some reason someone does, please let me know about it ASAP so I can have the appropriate people look at it.”

On Monday, Lynch(pictured) added that the Lock Poker security team has implemented one-time authentication tokens for all flash games. However, his explanation did not go over well. deafeye, in particular, got even more fired up. He announced that he would try to de-compile and then reconstruct Lock’s casino games to show that the site can be hacked.

If he accomplishes the task, he will test it only on play money servers, but will also release his solution on TwoPlusTwo so that others can not only take a look, but also use it however they would like.

This is not the first time Lock Poker has been embroiled in controversy. Last year, sponsored Lock Poker pro Jose GirahMacedo won the Bluff Pro Challenge, which was co-sponsored by Lock Poker and held on its site. Soon thereafter, Lock disqualified Macedo, citing violations of Lock Poker rules, specifically including “computers at multiple locations logging in and playing on his account.”

Later, online pro Haseeb DogisheadQureshi admitted to chip dumping $100,000 to Macedo during the competition. Although the poker room had already disqualified Macedo, it never specifically said anything about the chip dumping, going so far as to say that he actually “won enough money from his own IP to have legitimately won the challenge.”