Bitcoin Forum
September 03, 2024, 03:00:48 PM *
News: Latest Bitcoin Core release: 27.1 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Other / Beginners & Help / LuckyBitcoinCasino.com Hack on: November 12, 2013, 08:30:07 PM
(Feel free to quote or link this post in the LuckyBitcoinCasino.com Thread)

"Hacker" here. In short, I manipulated a game on LuckyBitcoinCasino.com to let me bet coins I didn't actually have. The API for the roulette game accepted negative bets. E.g. I was able to bet 100 coins on black, 100 coins on red and -199 coins on the number 34. This cost me exactly 1 coin, with the likely outcome that I would win 199.
   
The site also has a number of other security issues that I detailed via the support form to the site's owner, including the "right" way to fix them. So far, they have failed to acknowledge these flaws.

Just as an example, a blatant XSS flaw:
https://www.luckybitcoincasino.com/forgot.php?message=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
(Note that many modern browsers will now actually filter out JS passed via the URL. However, it's a bad idea to rely on this.)

I also noticed a number of SQL injection flaws around the site. The codebase seems to be very inconsistent in what is filtered and what isn't.

tl;dr: contrary to what the author(?) of the site proclaims, there's no such thing as "bug free code".
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!