Bitcoin Forum

Hey guys,

After many months of www.magicaldice.com being in development we are finally excited to announce we're close to the finish line and expecting to launch on the 1st of September! We plan to be doing A LOT of giveaways and crazy signature campaigns so make sure you keep a look out!

Firstly before we can do any of that, we need your guys help. We'll be opening up our website for beta-testing for 2-3 days. This will be the time-frame we have to fix any issues and make improvements. So go on over and take a look at our website. If you can find any bugs/improvements that we like then shoot me a pm and we'll be sure to send you some BTC.

There isn't a set bounty for each bug you find. Depending on how severe the bug is we will accommodate you accordingly. Same applies to how good your improvement idea is :)

If you want some fake bitcoins to play around with then post your MD username below (You can't withdraw these coins) ;)

Our website - Www.magicaldice.com

Bounties paid so far -
-NLNico
-Monoko
-Everaja
-Discovercebu
-

Balace error ,
I claim 500 satoshi and bet 500 sat , balance becomes 1 BTC :D

https://i.imgur.com/teG5qCO.jpg

Haha that's because I set your balance to 1 BTC :P

My bet is always to win , what this part of the promotion :D

sure i want some free btc :D
katerniko1
regards.
-Katerniko1

at bottom of your site there is bitcointalk button witch should lead to your thread i think.
and it lead only to gambling section...
:)
regards.
-Katerniko1

Yeah that will be changed when we officially launch which will hopefully be 1st of September if we don't run into any problems during this beta test :)

Probably found a serious security vulnerability, will PM.

Hi Stars !!  There are lots of security Vulnerability in your site a Rouge Coder can ******** Your site as they did with Luckybit earlier (No hard feeling).

Just Found Two Run Time Errors taht can be fatal from Point of view of your business.
#Bug 0:(noobs Bug)
Bet can be placed even the bet amount is zero  :-X
#Bug 1:

I would like you to take you back to few months back may be much more , i guess all guys reading this may remember that once the blockchain.info "latest Transaction" were filled with transactions of Luckybit Blue or red or green...
They were all because before luckybit coders used Instance variable rather than class variables to make a Bet and stored them in Tables(DB) as a instance variables , Instance variables are easy to inject and can be spoof the database for ,say 1-2 seconds to even 3-4 hours until the database refresh(If another guy make a bet after me in "t" time then the database will refresh in "t" time) , assume if it is night and no one is playing on your site means the database is not refreshing and someone rouge comes to your site and played that trick then he has a lot of time to withdraw as no one is playing n your site and the withdraw(if auto) then you can loose a big amount , i remember that some one withdrew 65 btc from Luckybit with this method and im sure he might be reading this.
How i found this in your site with that method:

#Bug 2:
I had initially 0.000005 Btc from Faucet , I played Two bets but Your database is showing Just 1 bet placed and it is showing my balance 0.000003 , How it can be Posiible , if i played only one bet that was default worth 0.000001BTC , then my balance must be 0.000004 btc not 0.000003 btc , i Guess this error is due to
1. I went to your site and got registered.

2.I went to faucet and claimed 0.000005 btc

3.I payed two times but your database is showing only one time , in which runtime error occured and it deduced the balance but didn't put the bet in bet history table and deduced the 0.000001 btc x2 , The current bet section showed i won but the roll under/above showed that i lost , How two things are possible but as soon as the other guys placed the bet the database was refreshed and i was again showed lost.


http://s15.postimg.org/c7ia9htpn/Screenshot_85.png

direct image link:   http://postimg.org/image/vpcxpfqnb/
See bet 12206 roll was under but it stated i won , after some time it was corrected as others put their betting after me.


http://s22.postimg.org/fpi8p58dd/Screenshot_86.png
My balance shows 0.000003 btc but i played only one bet according to your bet history table(of 0.000001), then where is the another 0.000001 btc ,this is because of enableviewstate i already mentioned it in above.


I guess if user Ecuamobi can Put some light here then it will be much appreciated, as he same from the coding background.

I guess i have said and given two bug reports:
Let me know if You are on your words.

username:Jamest

http://postimg.org/image/69qvedr9v/


This new shit, I'll play here, hopefully this can form the best place

hi.. i want to try the free btcs.
 username :tetay14

name magicaldice :yolanda
 ;D

i like .magicaldice

Mostly non-security related, but still important:

- New account, "Login link" doesn't work. If this is already fixed, make sure to hide and disable the "Login link" for people who have a password. Ideally you have a 2FA option too.
- The popups/iframes like user/bet info, provably fair, tip history, etc. also load all the JS. This means they are also loading all the AJAX requests for bets/stats every second etc. (while these frames don't need that data.) You should save both you and the user some resources/bandwidth by not making these useless requests ;)
- You should force SSL.

I guess all that site including all JS to load simultaneously at the background while the user only see a splash-screen as the dev of Primedice have done.

hi.. admin, settings in chat like this..

 Show my big wins in chat

 Show my big losses in chat

i disable it but still showing in my chat box. pls check it. thanks.

Not sure what you mean. On MagicalDice most popups actually load a new page in an iframe. This iframe contains all the Javascript files that also load all the bets/stats/etc through AJAX. This iframe however, does not need this data. I was wrong about "user/bet info" actually, but still many popups do this: Account setting, Provably fair, My transcactions, My tips, Chat Settings, ...

Just registered there
My username: orryde

Thank you

I have just created my account there but there no faucet so how to get free coins to test this brand dice site,
Edit : faucet button right down in the balance.

Username : trafficolaa

I appreciate everybody that has found bugs/actively looking for bugs. You will be paid a bounty once our dev has fixed the bug(s). Thanks :)

I came to know about bug bounty after having registered under username '' boopy'' I am trying to test and finf the bug.Everyone best of luck to help the OP by finding bugs and win.

Test

register there and such a good moderation and site graphics Nice:P

but need to some update on site like when we get tips no notification come on the bottom of the site page.should need to fix a bar for tip notification when we get tip.this will be looking more comfortable when anyone get a tip  and there are one problem is on chat.there are no limit for message.myself message such a big sentence.so should prevent unlimited message space should prevent from spamming.we should easily write a composition on the chat this will made a more spam on there.hope u understand. ty admin.
 
username on MD: showrov1993
thnx :)
regards .

Username limit should be increased else usernams like this will mess the board

https://i.imgur.com/jBedD0K.png

guys... i think i saw a bug with the fancy rolling.. i keep on playing on fancy rolling but it does not appear on "MY BETS" i tried it a lot of ties.. but really not apper. hope you can fixed this also.. goodluck.
and i cant see it also in ALL BETS AND HIGH ROLLERS... I TRY BET 1 BTC. I CHECK all but not appear..but my balance is moving. up and down when betting.

When you re-fresh the page does it show up then?

That problem first i reported in chat why we have to refresh the page to see bet result into my tabs so it need to get fixed to continue uninterpreted betting on the way, i think when we have to stop and refersh the page to see this that break the rhythm of betting. ;) 

oh yeah i saw it now. but i refresh it. 3  times to see it...  :-[

i would like to try find bugs thanks. Username: Pimpsta

tipping everyone who talks in the chat for more testing=)

Just to clarify: LuckyBit has never been exploited or attacked in this way. It's even impossible as you cannot "withdraw" from LuckyBit - this is also why user funds cannot be endangered on LuckyBit: we simply do not hold any bitcoins of our users (the advantages of onchain gambling). You must be confusing sites.

let me try it with your free BTC..
username : nekochan05

tipped

hi... why is it i cannot message in chat now.. but earlier its all fine...

Are you still having trouble talking in the chat? Seems to work fine for others.

 ;D i get bug

what bug you see?just post in here if you had a bug

Well when you bet you can hit the regular dice rolls then fancy rolls then click regular rolls as many times as you can and they all the bets are placed even though its still "shuffling machines"which aint right

https://i.imgur.com/XEONU4l.png

There is a bug with the max bet...
The bet takes place when i play with 2 BTC but it isnt working when i use 2.9 or more than that... i dont know why :)

yea its not a big issue we have something for that on v2, thx for your efforts!

since today our max win system and our chat pms are not working for some reason, waiting for the dev.

troubleshooting target: fountain (for abuse potential)
exploit found: captcha bypass assuming 0 balance

with any of the three adblock extensions enabled, captcha is checked after simply clicking (no selecting images) so long as balance is 0 - this enables me to use autokey (autohotkey on windows) to continually through automated click-events, claim 500 satoshi and bet it at an absurd multiplier until i essentially steal 55k satoshi by recording a few mouse click events and retiring to the opium den until autokey alerts me that i've succeeded in ripping off your fountain.

https://i.imgur.com/NtI5OnC.png

(difficult to take a screen of something NOT happening, but all i have to do is click the human verification and it accepts as if i had completed a captcha, then allows me to claim)

note that once the balance is over 0 the captcha modal window does appear and does not award additional coin upon completion. it simply allows for an automation scheme if the user bets all 500 satoshi at 1% odds / 99x multiplier.

software tech specs: debian-ish linux running chromium/webkit-based browser using stock adblock plus extension out of chrome app store

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

that comes from the houseedge I am sure or if you mean something else please be more detailed=)

Ok waiting for the dev to check it

troubleshooting target: host filesystem data
issue found: redundant local cookies

upon modification, the cookies user_name and user_password simply duplicate themselves on next visit, surely on order of the PHPSESSID.

https://i.imgur.com/bR8Av9g.png

https://i.imgur.com/SCDrcBU.png



ideally this should be the only client-side cookie necessary (that containing the php session id):


https://i.imgur.com/z0f4xpO.png


i was unable to identify the hash algorithm used to generate the value stored in user_password but it is 40 characters long which leads me to believe it's not a fixed compression. unless the function is an original - as opposed to a publicly-known algorithm or the use of two one-way cryptographic hash functions - i have no doubt that a malicious person would be able to, after pulling the data from a compromised client-side filesystem, use typical brute-force methods to reverse-encrypt-and-match the password.

if done on a large scale, through the use of something like a freely-downloaded "bot for magicaldice.com" piece of sh't or whatever, or through the use of range-control virus/worm infection (targets selected through the likeliness that they are members of magicaldice) then of course this means the unethical a-hole engineer behind the attack would be able to log in as and empty the wallets of any user either a) simple enough to run microsoft windows as an operating system b) stupid enough to run a binary file on their personal computer without access to the source.

while i can't imagine the necessity for either of these cookies, if there is for them in fact a use, then i would recommend renaming both of them to less-obvious targets for a thief, and using a one-way encryption on the value of user_name as well (it is currently simply the unmodified username).

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

non-urgent gui issue: private message modal doesn't disappear after message is sent. if this is intentional, the value of the message textbox should reset to blank after a message is sent (see a few messages up, "..it's HUGE trouble, man can you..." was sent twice && as you can see the text of a sent message remains in the modal in the screengrab after it is sent and appears in chat):

https://i.imgur.com/RW493Yu.png

ok!

- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

That is with reCaptcha. That is completely not related to the site.  8)

Oh wow, this is necessary? Ok:

While aware that a third-party captcha service is being used, the site's design to award 500 satoshi to anyone with a balance of 0 presents a unique risk.

Since the third-party service is in fact very much related to the site, and the exploit cannot happen without the site's design in relation to the captcha service's problem, we are left with two options:

1) Do something to make sure nobody's using this exploit.
2) Tell Lyco that this is an issue "completely not related to this site" and make him write this, then do #1 anyway.

ok!

- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

This is because of Google linking you to your google account. Honestly you can't do much with that anyway. You can't withdraw those 500 satoshis, and if you can't get more until your balance hits 0, then it's not exactly helping you any more than an annoying full validation captcha would.

Fixed.

my preliminary model of a malciious person's autokey script is set to claim the fountain's 500 satoshi then bet it at 1% until it wins twice in a row.

this would total 0.04900500 BTC.

it can complete the first bet around 6 times per minute - though i estimate that rate could be near doubled on a dedicated machine - and a malicious person's otherwise-idle laptop(s) -- not a malicious person, but simply their otherwise-idle laptop -- could run it all day, every day, for as long as you guys are online.

with no offense meant whatsoever, i honestly cannot tell if you simply don't understand the severity of this exploit, or if rather you think that the exploit's ingenuity renders it too unlikely to pose a threat, or if you simply don't want to acknowledge my work in order to avoid paying bounty. regardless, i signed on to answer a distress call & take an opportunity to ethically utilize my expertise in the field, and i simply don't do half-ass jobs. you have a very serious exploit that involves an opportunity for a determined person to take money directly from your organization with no consequences, and i'm the one who noticed it, so it's my obligation to do this:


proposed methods of prevention

intended to stop the exploit before it has time to yield results:

method 01: put a time restriction on fountain queries.
detail: the most efficient implementation of this theory starts with a 15 second clock and doubles the countdown timer length every time a claim is made in less than double the current countdown time.
advantages: completely disable the exploit
disadvantages: threaded timer processes could stress resources or even allow for a special type of organized attack - the odds of this are close to negligible, and the consequences would simply be a slowdown in the site's performance or at theoretical worst a bandwidth overload.

method 02: periodically scan for 500 satoshi bets at odds percentages under 05.
detail: every 15 minutes, scan the bet database's appended entries for bets that meet these criteria: a) amount is less than 501 satoshi b) odds are equal to or below 5% - next the results matching criteria a & b count the userid column for repeats. any user appearing in the result list over 50 times (arrived at this figure assuming ~3 to 4 bets per minute) is flagged as using the exploit then dealt with accordingly (account disabled, either permanently or perhaps for 60 minutes in the case that the criteria leave any room for mistake).
advantages: organization is likely to successfully hide from the exploit indefinitely, and save on computer power usage as compared with that of method one
disadvantages: allows users to run the exploit at a slower speed with no consequences.


i would recommend the first method or a combination of the two over the second method by itself. ignoring the exploit is indeed a third option, but i think my obligation ends just before a blitzkrieg attempt at making sure it's understood how dangerous that is.


let me know if there's anything else/anything i can do to help further/help!.

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

troubleshooting target: betting calculations
issue found: discrepancy between multiplier/odds depending on which one user submits

for example, while entering 49.50 as my odds should yield a multiplier of 2.0, it yields 2.00020, & pays me, as demonstrated here (see most recent two bets):

https://i.imgur.com/2Ifa1fh.png

a minor issue in the wildly-short term, but likely easily-fixable.

ok!

- Lyco / "lyco" on magicaldice now as i apparently forgot "harlequence" password
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

Hey, I am liking this website - seems pretty stable. When testing it this morning I only came across 2 bugs which need to be fixed:

1. Max bet limit [FIXED BY KALE]

When betting through the website the max accumulated profit is 5 BTC if you put the wager and profit together. For example, if you try betting over 2.5 BTC on the x2 multiplier you get this error:

https://i.imgur.com/SNOR7mr.png

However when I dug deeper into the code, I noticed this check was being done client sided in both of the roll button event handlers.
So what I did instead was made a PHP script which contacted the server directly to make the bet, where the wager itself was over 5 BTC. This ended up going through successfully:

https://i.imgur.com/GwBTkIj.png



2. Autopilot Bug

When testing out the increment feature on autopilot I noticed another unusual occurrence. I set the start bet to 0.01 BTC and on loss told it to increase by 100%; after a few runs on this setting, I noticed autopilot bet the same amount on win twice after it lost the initial 0.01 bet. (Autopilot also lagged a couple of times, which may of caused this to happen)

https://i.imgur.com/MTSzTxs.png


That's all from me :)
 

clap clap! that php impostor-script exploit is brilliant.

by the by, re issue #2: earlier today another user tried automated betting, and the option to reset to base after a win was defective, betting and losing double once after a win before then resetting to base as the user programmed it to do. i haven't been able to clone that event or any of the other autobet errors, which leads me to believe they're based on latency issues.

@lyco yes I believe so to, that issue has something to do with connectivity as it occurred on a lag. After getting that issue popping up it's been difficult to make it arise again. :)

how long again launcing ?

Hit me up when i have time i will check if there is any bug in your website, i would be happy to find one

We will be launching in roughly 24h from now!

Will bounty be distributed for bugs before launch or after launch.
On behalf of all Bug finders i request you to mention the names of the guys who found bugs in OP as your list there is still blank.

Good Luck for the Launch , hope to enjoy. :P

Hey Lyco. I'm not sure how your "exploit" is a problem. I just checked, and most other BTC dice site's with a faucet, including PrimeDice, and Rollin.io, uses the exact same captcha, and similar static timer. You can't make another claim within 3 minutes of the previous.

If it's so easy to turn 0.00000500 into 0.049, then why do you need to abuse the faucet anyway? From that 0.049 you could make close to 10,000 500 whole satoshi bets.

I could understand if it was bet>instant claim>bet repeat etc. but you can't do that, you have to wait 3 minutes before you can claim again.

Hey Kuz here with another update. Testing the autopilot system again this morning I seemed to have found another bug, very minor but yea.

With Autopilot if you was to reach the max bet limit during a single run, the max bet limit popup won't display and autopilot would continue to run performing no bets. As you can see in the screenshot below, I set my autopilot to a basebet of 0.1 and lost all the way to 1.6; i can't perform a 3.2 BTC bet as it exceeds the max bet limit of 5 BTC, so in reality I should be getting the max bet limit popup error... but I don't:

https://i.imgur.com/DraYaMM.png


[FIXED BY SOMEGUY123]

I already can not wait for this dice
username magicaldice: septianuciha  :-*  :-*  :-*
I will wait for his birth magicaldice

at the time of my original faucet-exploit post the 3-minute static timer was not operating.

username:
Zakorus. i hope to find some bugs :D

gonna go live soon, we also cant wait ourselfs to finally launch!

We'll be live within 30 minutes! Make sure you're around, lots of giveaways within the first few hours!

What's going on there?
I have setting my email and it's good running well

I think the "start screen" has a username min. limit of 4 characters and the "name change sceen" has a min. limit of 5 characters.

I found this in chat box

https://i.imgur.com/Icehih3.jpg

That was a temporary issue while we were correcting some database settings. Shouldn't happen any more.

I'll look into that

yeah, Stars, you never pay me any particular bounty yet as I sent to you the error (or bug) (whatever you call it) thru' a link(screenshot) in the chat i've reported to you the other day and i still have it in store. Are you really on your word? but still waiting for it(the bounty)until i got it anyway tyvm in advance.

-KOZO-

p.s. please remember me. c ya around sometimes. magicaldice is owesome..!

I have found 1 bug (reported to Stars) but never given any particular "bounty" yet.! poor me

-KOZO-