F-2026-0006·authorization-error

WebSocket crash events broadcast to all clients without subscription enforcement

Fixedpentesttypescriptbackend
TL;DR

Crash game events broadcast to every connected WebSocket client regardless of whether the client had subscribed to that game stream, leaking gameplay data and amplifying bandwidth/DoS exposure.

Severity
MEDIUM
Impact
MEDIUM
Likelihood
HIGH
Method
MManual review
CAT.
Complexity
LOW
Exploitability
HIGH
02Section · Description

Description

The WebSocket layer broadcast Crash game events to all connected clients without checking subscription state. Subscription was implemented client-side only; the server did not filter outbound events by subscription.

03Section · Impact

Impact

  • Privacy leak: Per-client gameplay events visible to every connected user.
  • Bandwidth amplification / DoS risk: Increased outbound bandwidth per backend event, scaling with connected client count rather than subscribed client count.
04Section · Recommendation

Recommendation

Maintain server-side subscription state per WebSocket connection. Only emit events to connections that have explicitly subscribed to the relevant channel. Add per-channel rate limits and authentication checks at subscription time, not just at connection time.

Fair Casino: Fixed. Zealynx: Verified.

Status
Fixed
ZEALYNX SECURITY · published 2026-01-27
F-2026-0006