Title: PrimeDice fucked me and my friends over Post by: PinkLlama on July 13, 2016, 11:53:46 AM PrimeDice, which is a very popular BTC gambling site, has fucked me and a friend of mine over. Let me explain:
Well, some time ago, I reported a persistent XSS exploit to PD which was on their front page. Everything was going fine until I actually sent them the exploit. Then they ignored me for a couple of hours. After they fixed the exploit, they said that another guy told them the exploit as well. https://gyazo.com/dbba3aca6190dddbcececd084a750cf7 The thing is, they fixed the exploit exactly 5-10 minutes after I reported it to them. Funny coincidence. I didn't mind it at first as he said that he'll ask the owner to arrange a reward for both of us. Then, some time later, I get this E-Mail from PD: https://gyazo.com/0b555023901f4a2086db185dffb8ec07 Apparently, 3 people reported the same exploit now. Wait. Didn't they say it was only 2? It's a very weird "coincidence". Unless PD can provide proof along with the timestamps of the guy's E-Mail (the one who reported it before me), I'll see myself as screwed by them. I cannot find the transaction link nor the messages, but I'll makes sure I find them. Basically, he deposited around 10-13 BTC onto PrimeDice. The money got confirmed and it didn't appear. They just said that someone logged into his account and took the money outta it. Now, he hasn't shared his password with anyone nor has he used any type of script that may have gotten access to his account. He got the money by reporting an exploit to Uber so he isn't ratted either. Title: Re: PrimeDice fucked me and my friends over Post by: Joel_Jantsen on July 13, 2016, 12:54:38 PM There are multiple probabilities over here,two sides of the story.Maybe when you reported the exploit,primedice was already working on it ? Maybe you're the second user who reported the bug while the reports from the first one were being deployed ? I don't think you can ask them for email-stamps as proof since the exploits can be reported in n number of which ,in private chat maybe ? About the second mail,I think they meant,you're the 2nd user among the total reported users which is 3.I really doubt this accusations holds a stand since neither primcedice has scammed directly or indirectly.You're seeking a reward ,which could any amount of their choice.The last para didn't make much sense since there are ways to get hacked.And how can you not find the transaction link of the coins you/your friend sent from their wallet ?
Title: Re: PrimeDice fucked me and my friends over Post by: PinkLlama on July 13, 2016, 01:10:43 PM There are multiple probabilities over here,two sides of the story.Maybe when you reported the exploit,primedice was already working on it ? Maybe you're the second user who reported the bug while the reports from the first one were being deployed ? I don't think you can ask them for email-stamps as proof since the exploits can be reported in n number of which ,in private chat maybe ? About the second mail,I think they meant,you're the 2nd user among the total reported users which is 3.I really doubt this accusations holds a stand since neither primcedice has scammed directly or indirectly.You're seeking a reward ,which could any amount of their choice.The last para didn't make much sense since there are ways to get hacked.And how can you not find the transaction link of the coins you/your friend sent from their wallet ? I'm willing to hear from their side and see the proof they have. I cannot find the coins because the post was on another forum. I'm trying to find the post again. A reward of 0.5-50 BTC was originally promised with mumbles of a 10-15 BTC reward. Title: Re: PrimeDice fucked me and my friends over Post by: Stunna on July 13, 2016, 07:27:20 PM Two users were paid out for this for reporting before you and providing helpful advice. You were unhelpful and provided no new information and the first message I saw from you was a threat after the issue had already been patched.
That's all I have to say on this matter, primedice pays out security bounties for valid/useful reports. Title: Re: PrimeDice fucked me and my friends over Post by: PinkLlama on July 13, 2016, 08:42:37 PM Two users were paid out for this for reporting before you and providing helpful advice. You were unhelpful and provided no new information and the first message I saw from you was a threat after the issue had already been patched. That's all I have to say on this matter, primedice pays out security bounties for valid/useful reports. Thank you for your reply. It wasn't a thread, but simply a notification that I got no reward and was being ignored after reporting the exploit to you. Feel free to post what I messaged you. Title: Re: PrimeDice fucked me and my friends over Post by: Alanay on July 14, 2016, 07:25:08 PM It usually takes longer than 5-10 minutes to fix an exploit, and even longer for them to view your message. So it's definitely possible somebody reported it before you. My suggestion: get over it.
Title: Re: PrimeDice fucked me and my friends over Post by: adoell on July 15, 2016, 10:06:12 AM Two users were paid out for this for reporting before you and providing helpful advice. You were unhelpful and provided no new information and the first message I saw from you was a threat after the issue had already been patched. That's all I have to say on this matter, primedice pays out security bounties for valid/useful reports. Thank you for your reply. It wasn't a thread, but simply a notification that I got no reward and was being ignored after reporting the exploit to you. Feel free to post what I messaged you. im not surprised, pd4 was a let down, they probably used most of their BTC developing the junk and now they are finally going bankrupt after the 40BTC this guy just won, or doing a runner as they realized their scheme is no longer profitable. Title: Re: PrimeDice fucked me and my friends over Post by: PinkLlama on July 15, 2016, 12:17:36 PM site is down now, and seems it has scammed a user who made 40BTC and they're asking for his personal info im not surprised, pd4 was a let down, they probably used most of their BTC developing the junk and now they are finally going bankrupt after the 40BTC this guy just won, or doing a runner as they realized their scheme is no longer profitable. If they really stole 40 BTC from him I hope he sues them. Title: Re: PrimeDice fucked me and my friends over Post by: actmyname on July 15, 2016, 04:50:09 PM Two users were paid out for this for reporting before you and providing helpful advice. You were unhelpful and provided no new information and the first message I saw from you was a threat after the issue had already been patched. That's all I have to say on this matter, primedice pays out security bounties for valid/useful reports. Thank you for your reply. It wasn't a thread, but simply a notification that I got no reward and was being ignored after reporting the exploit to you. Feel free to post what I messaged you. im not surprised, pd4 was a let down, they probably used most of their BTC developing the junk and now they are finally going bankrupt after the 40BTC this guy just won, or doing a runner as they realized their scheme is no longer profitable. If they really stole 40 BTC from him I hope he sues them. This. (https://bitcointalk.org/index.php?topic=1546299.msg15595275#msg15595275) Wild accusations are no good. Wait for proof. |