Bitcoin Forum

This is now closed.

We had about a dozen different vulnerability scanners ran against the site, 5 Google apps password resets, someone using a proxy which lets them change things en-route, attempted CSRF attackes, SQL injection attacks, and more.

There were no breaches of security.

---

First flag claimed! fcmatt located the BTC0.5 flag located in the ToS

---

ZIGGAP LLC has entered into it's crowd-sourced security auditing phase. Up for grabs are BTC80.5  in possible winnings.

Hidden in multiple sensitive locations of ZIGGAP.com's website and servers are several strings or "flags". All of these strings start with secret_ . Each string is worth BTC10 . Except for one of them. It's significantly smaller. If you find it you'll know why.

If you locate any one of these strings just send us an email to info@ziggap.com with the exact steps you took to compromise the server or site and the exact string which you located. The first person to send us a string gets the winnings for it.

D/DOS attacks will NOT qualify you for winnings. These are not security breaches.

This contest starts now and ends in 48 hours.

Please note: Any orders you create will not be charged in reality. Any orders created now are for testing reasons only.


Good luck.



-ZIGGAP

found one. reported to you.

fcmatt found the 0.5 bitcoin string located in the terms of service.

I wasn't sure if anyone was actually going to read it.

Bitcoin address please?

18MjdXpTyek3ESTPc2HCQnATv1jY4acUeR

Lets see where the next might hide. I knew there would be low hanging fruit to start but the rest will be tougher.

Can you post all the corresponding bitcoin addresses? Thanks

Sent. TXNID c7381205d6120103fda2807f2ffdb4f107f2b413c46c7cb58fc3c36063c75a68

I'm not sure I understand your question. Which bitcoin addresses?

thank you.

Ok, you say the secrets are hidden on your servers:


But the bitcoins are stored in bitcoin addresses derived from those, so sharing the addresses helps us see the bitcoins really exist and verify they we're really created from those "secrets" in the first place.

Edit: Hope I understood correctly the terms.

Apologies, it looks like there is a miscommunication. You are not hacking into the bitcoin addresses themselves. At the moment only testnet BTC are stored in our hotwallet. For example, if you manage to compromise that hot wallet and locate the secret there (there's one hint for you), and explain to us how you did it, we will send you real BTC.

Now I understand how it goes, thanks

man, made a typo when creating an order.. now making me wait forever to try again.
you should say how long a person has to wait.

For any whitehats who don't want to use bitcoin, I will pay you http://btcticker.appspot.com/mtgox/10.00btc.png for each of the remaining "flags" that you find.

No security issues found so far, however several people have tried to reset our Google Apps password.

This type of hacking is tough.

First, a brand new linux install. No one is going to share an openssh bug for remote access for this type of money.
Let alone any webserver bug for remote access (apache/nginx). So getting in remotely the "old fashioned" way is
nigh impossible. Based on a quick scan I recall only seeing 3 ports being opened and reachable. The rest are firewalled.

Now lets talk about your website's code. It is a very simple design. The amount of pages is very small and that makes
for fewer opportunities compared to a large website with many things going on. I wanted to "buy" some bitcoins but
due to a typo in my first try it seems like it locked me out for some unknown amount of time. That alone makes me
think anyone who wants to try sql injection better have some serious time on their hands because the code will
probably reject the attempts based on some value (IP address, cookie, whatever). So your attempts will just go in
the trash and miss the main parts of the code (guessing here).

I see that you used google for your incoming email. I guess your domain is setup with them or it is forwarded to a
server which blocks port 25 for everyone except google. Well hacking google is probably not a good idea to try ;-)
and one less port to talk to (postfix I imagine). For sending only. I see you mentioned resetting of the password
for google apps. Last I checked social eng of a google support person is needed to make that happen.
See here for the trouble it takes to do such a hack: http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-app

So honestly.. the only real vector of attack that you are expecting is sql injection in my mind. And if the programmer
spent just a few hours validating user inputted data via code it will be impossible.

Unless of course you desire for the attacker to, well, attack you personally. Perhaps break into your apt/home and steal your
fricking PC. Maybe your company you work at is not as secure and you access your website from work. Perhaps you
have other projects going on that do not deal with bitcoins and are sitting on a server 5 years old. Maybe you keep something
juicy in your car. Etc... But I do not think anyone here wants to commit a felony crime for a few bucks let alone hunt you
down in this manner.

So I guess I am out of the hunt because the last major bug I found was years ago and that was for a local root.
I also think sql injection may be very time consuming to attempt based on my brief poking around last night.

We also have two factor auth on any sensitive Google Apps accounts, all our our systems use full HDD encryption, and we take every possible step to ensure anything access the administrative sections of our system (or any sensitive information at all for that matter) are absolutely secure.

Even if someone broke in to our car or house there is nothing they would be able to steal that would give them access to anything sensitive.

LOL

Not a security flaw, but bug:
Go to Buy Bitcoins -> Select nothing ("Select payment method") -> Enter address (12gKdNCYoEZ9SfnRkiouNJV2QrCdyC8ooD) -> Error page "Bad gateway"

Edit: and please include "labels" for the textboxes, I had to look in the source which field is for what (IE)...

The text boxes have labels in them, until you click in the text box and start typing.

they have "placeholders" not "labels"

I understand what you mean, I see them in the source however they not show up in my Internet Explorer...

EDIT; see screenshot below
http://s14.postimage.org/3yoky0gyp/ziggap_screenshot.png

Ssh should be using /etc/hosts.allow.  no reason to let every IP connect to it.

And purchase another server to run ejabberd on for frontend.ziggap.com. :) Unless that's part of the service somehow.

You could also set up a service like OpenVPN (UDP + drops any packets that don't have the HMAC = very good stealth) and then SSH & XMPP inside the VPN so there are no TCP ports open to the outside world except 80 and 443.

Surface area, etc.