Bitcoin Forum

Haha, well I quickly found out the hard way about faucet security.

Having been assured by the creator of the first faucet script I used on my WP site that it was completely secure - it clearly wasn't!

Faucet was emptied last night (about 5,000 sats) to this IP: 91.208.99.2

That'll teach me! No re-fill until I figure out what went wrong. Any help would be appreciated.

- http://freecoyn.com/free-bitcoin-faucet/ (http://freecoyn.com/free-bitcoin-faucet/)

Thanks :)

My condolences, it really sucks when stuff like that happens.
Being an amateur coder and all, I’ve been working on security continuously for my faucets. So, since I’m an amateur myself, I can’t offer any “truths”.
But the following should help... stay away from cookie cutter solutions. If you run a custom script, any malicious individuals will have to write a custom hack for your specific faucet.
Sanitize any and all user input, lock down access to script execution and reduce the number of attack surfaces as much as possible.
I have yet to find the magic bullet when it comes to bots and they can can empty a faucet real fast if given an opening.

Just to mention it, the ip you wrote is a anonymous proxy.

Make sure that your connection with FaucetHub API is secure and cannot be altered with any parameters in the faucet's URL or values you're using on your website (if you are using username/passwords). Don't rely on GET php parameters, because they can be changed super easily and may break your faucet. POST parameters can be also changed by users, but it is way harder for hackers, and you can set up additional security for POST parameters.

If users drained your faucet really fast, that means:
- they could potentially get your FaucetHub API key (make sure it is not public)
- your faucet doesn't have any timeouts between claiming or they can be easily bypassed
- it doesn't have necessary IP security from proxies (there are 3rd party scripts for that)

Always make sure that your site is 100% safe before you release it.
Check every single thing and play with parameters, try to crack it, or send your friends so they can verify if everything is good.

Rate limits can be also a good thing when you start your fresh faucet, I used it and tracked major issue with my faucet. Basically it's all in FaucetHub settings, you can limit how much Satoshi can be withdrawn from your faucet in a certain range of time.

Good luck with your faucet in the future.

i remember that someone have noticed you about the problems of this script. most free scripts aren't safe enough and you have to custom it, and i think run a faucet on wp site is a bad idea because wp is a favorite object of hackers.

Thanks everyone for your really helpful comments and suggestions - that's what makes this community great!

I think I used the cooker cutter option because while I'm fascinated with bitcoin and faucets I'm not a coder so I was hoping for something I could use out of the box.

But it's back to the drawing board now. However, I'm going to persevere and hopefully launch a new and improved version soon.  :)

Just assume that all user input, get and post data is insecure.

you need proper pentesting around JSON, code execution, API security, XSS.. Mainly Sanitising user input, someone was highly likely possibly slipped thru a malicious code somewhere, you need to prevent them to execute such codes and you must validate user input - if your issue is relative of course.

Thanks for all this. It's beyond me though! I'm looking into a new script, will test it publicly soon.