Bitcoin Forum

At approximately 11:30am - 12:00pm GMT today, a hacker was able to exploit a security hole in my game and withdraw 0.4 BTC, which was the entire hot-wallet contents.

He withdrew to this address: 16pknxjJF8yhL2iBPmXRw4rcoGhFYmGcoy

Transactions:

288734e41ebde40bfb07227006f27ea256e3a51e90b7388b4335d9c84f3f90e6
441c5f163afe515def15e2eed21c9aac8eed9d8ff3d6142c475342cf154d17ee
52d4cec1e6b5c95be2bc10a4afd665c722498eecd6804cf03e12558cd41846a2
5b1f08f26ec1cdbbdfb00ea7191bd27a2356edf18c376ba7270210b2932a6ef5
652c88def365b22ec3c1be34df410557a1e4f9bd68a1df6617c5f30875ad32c6
90f8d413664fa88791e71e385034d97598e409d04927715f802578bbd7ecf3de
be8ec0d0ca2c8891c004d9f5d691bc4c2b69401490623e3b27aab7a15bf1953f
cdd8f318899c96edaa7fb74a23fd84eb565e26b3f2997d6f8e0db53cc4019cb5
d7a4289a513f55c9b1dfb194134b5d49f1b8b001bf86eb821d604166ff99be8a
f1cf5d32866994843097db6f697c9bc5dc72ce4cdebf6d4cdfdcc0230b87eedb
f44a1d769f2aa0bfb990722f0b6856d242c2a46a50cb26690ad208f546327a46

He used the aliases: 1gld,16p,x,y

His attack was to use negative numbers for the BTC fields when creating a new game in blockchain-reaction, although these were checked for client-side, the server failed to do the correct validation.

I feel pretty stupid since that's an obvious attack and I'm usually really careful with this stuff, but it just slipped under the radar. Obviously this is now fixed.

I have covered this loss from my own personal bitcoin wallet, so no users will be affected.

If you are the attacker and you are reading this, please consider returning these stolen coins, I have a suspicion you are a fellow developer / programmer, so please have a heart.

Cheers, Paul.

The hacker won't return the coins.  Consider it a $300 education.   Had the site been popular it might have been a $300,000 loss.

Saying you are really careful and yet failed to do server side validation is an oxymoron.

I would recommend learning some unit testing.  My guess is you are developing the "core" program and consdering error checking as an add on.  For larger and more complex projects this always fails.  Grab a couple books on Test driven Development ( http://en.wikipedia.org/wiki/Test-driven_development ).  The $300 loss could be worth thousands if it makes you a better developer.

This post made me lol.

 First of all, what makes you think this "hacker" reads bitcointalk? And secondly, what makes you think that asking him to return the BTC will do anything?

OP, sorry to hear your loss.
Well, at least you now find the bug and fix it.  :D

The hacker did you a favor. You could have lost much more. Consider it a payment for services.

So now you learnt a lesson! Check for loopholes and fix them.

yep at just .4 BTC I'd consider it payment for services.

Once it is hacked you cannot recover it. Next be safe use all precautions.

This is exactly my opinion as well.  My "lesson" was a lot more expensive and we lost a lot more, but in the end it was a much needed wake-up call.  Its best that a breach happens sooner rather than later.  Fix the broken pieces and become stronger -- that's all you can do.

Really sorry to hear that monsterer, your game is great. Hope you recover from this.

Well sometimes hackers or thieves have given money back. I guess trying to guilt someone into returning funds is a last desperate attempt as it's probably one of the only things you can actually do, although like you said it's almost futile. 0.4 isn't much, so I'd just chalk it up as a loss and a lesson learned.

I want to play but it says

0% chance you get the coins back, thats why bitcoin is good for these type of anonymous things

Sorry to hear that your BTC is stolen.
Your blockchain reaction game has great potential. I wish you will soon recover the losses from game :)

We're back up and running now :)

Thanks for the support - the general sentiment is right, it could have been a lot worse and the fault is entirely mine for missing that piece of server-side validation. It's particularly galling because I'm a proponent of letting the server do the validation and having none on the client, especially in the early stages of development because it forces you to fix these type of problems before they happen.

Cheers, Paul.

Nice Marketing. Didn't know the game but I love it :P

I don't understand  ???

Lemmeee att emm' Leeemee attt em' !!

lol sorry to hear about your loss, but the odds of you getting the coins back are 0 to none.

How do you know its a "HE"  ::)

How do you know he's an "it"  ::)

what the hell kind of "game" has a security hole allowing people to take your bitcoins

i'm calling shenanigans

I doubt OP posted for the purpose of advertisement. I mean, I wouldn't play on that site now knowing it has loopholes, wouldn't you too?

Give op a break. I hope the hacker returns it and then we'll all laugh  :D

I agree with this as well!  Stealing such a small amount of BTC is the equivalent of a bum breaking into cars to steal the cigarette butts from the ash tray!  The risk/reward is about the same.  Give the guy his bitcoins back!   ;D

Yeah it's sad. I don't think he will return it though. Don't expect that. People are not like that. They don't return something they steal. That is why they are doing it in the first place.
I know it is not easy, you've most likely worked more for those 0.4 btc then some did for 100s of theirs. Still I know how I would feel if someone stole my 0.1 btc. Hope you get more btc from your game, so that you can forget this.

 Wouldn't it be nice if a hack like this could have been a zero-day tip instead :(
Shows our reversed society.
A message to thieves: go make glue gun porn with wasabi infused polyethylene instead of glue. While on an iron board, with four hot irons on your otherwise not hot body.then smoke a pack of cigarettes.all at once.without opening the box.yeah smoke the box with all the cigs in it.but smoke it backwards so that the fire is in your mouth. Do all this with the ironing board you're fixed to top of a semi truck driving through field of cacti conveniently shaped to always smack your ass, which has a wasabi hot glue gun thing cemented in on full throttle. Then attend a steak dinner with Hitler, Osama and Satan who have all been doing exactly what you have, glue gun and all. Then get in a disagreement and start a fight. Keeping in mind that you're all bolted to ironing boards.but you still find a way.

that was fun to write
We should all quote this on threads where a theft took place  :D

Really sad to know about your loss! Take proper security measures next time!