Skip to main content

2 posts tagged with "ciV-73"

View All Tags
MissedRemote access★ Pinned

XPoint / Bet365 NJ: macOS↔macOS RDP via Tailscale + Screen Sharing undetected

Xpointbet365
xpointbet365-njrdptailscalemacos-screen-sharing

Source. May 26, 2026 weekly sync.
Ticket. CIV-73: Bet365 NJ — Remote Desktop via macOS Screen Sharing (XPoint).

What we tested

A common fraud pattern: one computer remotely controls another computer in a different location to place bets. We tested whether Bet365's geolocation provider could detect this when the operator runs on XPoint (Bet365 NJ).

Stack used:

  • Tailscale — a networking tool that connects two computers over the internet as if they were on the same local network.
  • macOS Screen Sharing — Apple's built-in remote-desktop feature, driven through the Tailscale link.

What happened

  • Tester accessed Bet365 NJ from a different physical location through the macOS↔macOS remote session.
  • XPoint failed to detect this remote-access method. Bets were placed without interruption.

Why it matters

This is a clean compliance gap on a vector specifically targeted by remote-betting fraud. The bypass uses entirely off-the-shelf, legal tools — Tailscale and a feature already built into macOS — with no exotic configuration.

Follow-up testing across Radar, OpenBet, and GeoComply-integrated clients has been requested to scope whether this is XPoint-specific or a broader macOS RDP detection gap across providers.

Cross-reference

Xpoint profile → · May 26 weekly sync →

MissedRemote access★ Pinned

XPoint / RSI BetRivers NJ: Tailscale RDP fails detection in most cases, bypass-by-logout

XpointRushStreet Interactive (BetRivers)
xpointrsi-betrivers-njrdptailscaleciV-73

Source. May 19, 2026 weekly sync.
Ticket. CIV-73: BetRivers NJ — RDP via macOS.

What we tested

Remote desktop access against the RSI BetRivers New Jersey XPoint deployment, driven from macOS via Tailscale. Two distinct attack methods were exercised:

  1. Brief one-time approval — first-touch remote-session setup requires a single approval prompt at the controlled device.
  2. Fully unattended — no prompt, no human interaction required at the controlled device after initial enrolment.

What happened

  • Most cases: not detected. XPoint failed to flag Tailscale-based remote access in the majority of runs, allowing bets to be placed from a physically separate location.
  • When detection did trigger: inconsistent and trivially bypassable. Detection events did not persist — logging out and back in cleared the restriction and the session continued.
  • Both attack methods confirmed. Both the one-time-approval path and the fully-unattended path placed bets successfully.

Why it matters

This is the second cross-state confirmation of XPoint's RDP detection gap, alongside the FaceTime RDP failure at RSI Delaware (Apr 7). The gap is structural, not state-specific — RSI deployments in multiple states (AZ, DE, NJ) all show the same pattern.

Combined with the Bet365 NJ Tailscale + RealVNC bypass on Radar this week, both challenger providers running NJ sportsbooks are blind to Tailscale- driven remote sessions.

Cross-reference

XPoint profile → · May 19 weekly sync →