Bitcoin Forum

Okay so apparently if people don't reap benefits, or are able to do what you did a couple days before you say anything, it must not exist and be complete bullshit.

My Story:

I recently reported a bug via a bitcoin dice website, which I will not disclose without consent of the owner, and was able to log in, and bet on their account essentially without being actually knowing of their address, or password which is done by the cookie that is unencrypted, and the server never checks to verify the cookie. It only assumed the cookie was a success

Exmaple: UserID 235523 was sucessfully loggedin from address: F123DAFDAv09c8vasf, and UserID is changed to 4324, and the server when refreshed with that cookie stored passes it by and lets you set up on the account 4324... Recently reporting it earned me a little amount of bitcoin, which could have been more but no matter :-)

The exploit allowed me to:

-Bet Under the User
-Cash Out (To the User's address which was smart by the owner not to have the address be part of a cookie, or address changeable by the user)
-Change the Password of the user

Now how do I know that betting worked?

A- The Live Stream (Bets are shown) clearly showed "User:XXXXX" Bet : xXXXXXXXX, and I saw the balance after I bet which cleared to be in check
B- The balance was, as stated in the statement above cleared to be check

So I ask, what happened to the trust anymore?
If something doesn't go your way, and sounds too "Good" to be true, or you never did it before yourself, it's complete bullshit?

Part of me wants to quit Bitcoin because of the immaturity, but part of me stats for the anonymity

1995: I'm buying a new television so I searched on Inktomi for "TV Set ratings" and it sent me to Nielsen (show ratings).   Stupid internet, ... my search term included "TV Set".  Part of me wants to quit Internet because of the immaturity.

So, you assert that you found a security issue with some site and they refuse to acknowledge it?

So, ... give them a reasonable time to fix it, then publish an alert here (with some info of where the vulnerability lies, or how the exploit works), if it doesn't get fixed.

It worked so well last time with InstaWallet, let's do it again. If I recall with IW, there was an exploit issue of which a Bitcoiner was kind enough to reveal. Red flags were raised. The owners dismissed the findings. Then calm. Then poof!

I like Eric, so I hope this is not his site that is being inferred to. Then again, I admired IW, albeit to a lesser degree, and look at how at least one of their owners treated me.

Let's hope that whatever needs fixin' gets fixed.

Well, SD doesn't use web access for wagering.  The report was for a competing site, apparently:

LOL!

There are only three competing dice sites: Coinroll, PrimeDice and Just-Dice. They are all off-the-blockchain, so they required "accounts" of some sort, whether that is by payout address, or a cookie, or a traditional user / password. Some even have 2 factor auth using Google Auth.

Well, there are other block-chain based competitors, like Dice on Crack, and Suzuki Dice, but they don't need "accounts".

This is so old news

It was the first thing I tried after playing my freebie at that dice, to log in other people's accounts. And while you can make some bets to fuck with someone, no one will keep btc on their accounts longer than needed for betting.