Skip to main content

2 posts tagged with "underdog"

View All Tags
MissedRemote access★ Pinned

Radar / Underdog DFS: remote screen control via Tailscale undetected for 20+ minutes

RadarUnderdog Fantasy
radarunderdogrdptailscalemacos-screen-sharing

Source. June 2, 2026 weekly sync.
Ticket. CIV-81: Underdog DFS — Remote screen control via Tailscale (Radar).

What we tested

The same remote-screen-control pattern that GeoComply blocked on Bally Bet NJ this week: a tool lets one person take full control of another person's computer screen from a completely different location. The person physically in the permitted state does nothing — the remote user places all the bets. Here the target was Underdog DFS, running on Radar.

Stack: a Tailscale tunnel linking the two machines, driven through built-in screen-sharing.

What happened

  • The session lasted over 20 minutes with active remote control in use.
  • Radar did not detect or block it. Bets could be placed freely throughout.

Why it matters

This is a clear fraud and compliance gap. A user outside a licensed state can bet through a "proxy" device inside the state, with no exotic configuration — the attack uses off-the-shelf, legal tools. Operators running this integration carry regulatory exposure if the method is used by real fraudsters.

Cross-reference

Radar profile → · June 2 weekly sync →

MissedBrowser extensionCompliance★ Pinned

Radar / Underdog DFS: Chrome extension (Location Guard) undetected

RadarUnderdog Fantasy
radarunderdogbrowser-extensionlocation-guard

What we tested. Underdog DFS, browser-based Radar geolocation deployment. Installed the free Location Guard Chrome extension and reported a spoofed location.

What happened. Undetected. Radar did not flag the browser-extension spoofing.

Adjacent gaps from the same test (April 28 weekly).

  • Device-counting logic flaw — every login at Underdog is recorded as a new device, regardless of whether the device has been seen before. Inflates device counts and prevents multi-account detection — significantly weakening fraud detection.
  • Border crossing — testing confirmed users can continue placing wagers for approximately 1 minute after entering a restricted zone before Radar intervenes. Regulatory compliance risk.
  • Increased geolocation frequency + buffer-zone false positives — no single-license support; more frequent checks; unnecessary failures.
  • Loss of meaningful error messaging — generic error messages for all geolocation failures post-GeoComply switch; ability to self-troubleshoot eliminated; support contact volume likely up.

Why it matters. A free Chrome extension that anyone can install defeating Radar's regulated-DFS deployment is the entry-level sophistication. The device-counting flaw makes multi-accounting effectively free. Bundle these into the Underdog talking points.

Radar profile →