 Show Posts
|
|
Pages: [1] 2 3 4 5 6 »
|
We have conducted a thorough review and found no issues on the website. It is possible that specific users may have encountered problems due to viruses or plugins they installed, which are beyond our control.
Isn't it too much coincidence that many high rollers who won the wagering contest (and only them) had their accounts legitimacy compromised by a malicious script which was deflecting their funds to external unknown wallets? If the issue with malicious script were a generic issue faced by random users, then we could think that it had something to do with external plugins installed by the users themselves (probably plugins related to gambling bots). But since only specific whales were targeted, it really seems to have been a more elaborated attack against determined platform's users, who the hackers knew to be more profitable to steal from, instead of focusing on random accounts from micro earners containing dust of satoshis, for an example. I have 2 remarks: 1. The deposit and withdraw attacks were not just targeted against (recent) high rollers. I have not wagered on freebitco.in in months, and my account was still affected. Fortunately, I did not lose any bitcoin, because I did not try to deposit or withdraw when the attacks were taking place; but for a period of ~24 hours my deposit address switched to some unknown address. I have had the same deposit address for years and have not changed it recently, and so I knew immediately that something fishy was going on. After about a day, my deposit address changed back to my normal address. 2. This was absolutely not caused by "viruses or plugins they installed". I have 3 different devices that I use to log in to this site, and my deposit address was switched on every single device. Are you really going to argue that I had the exact same virus on all 3 devices? I have ~100 messages on this forum, and in nearly all of them I have spoken positively about freebitco.in (they gave me a lambo!). I have to be critical here, though. Blaming users for these recent issues is not cool. soslex, Lambo winner, also targeted by the hack. |
|
|
|
Dear BTC Talk Community,
We are immensely grateful for the love and trust you have shown to FreeBitco.in. Recently, a mail backlog caused delays in withdrawals, and we sincerely apologize for any inconvenience this may have caused. We are pleased to announce that all pending withdrawals have now been successfully processed.
The mail backlog is still ongoing but is slowly being cleared. We have also taken note of your concerns regarding our support services. To address this, we are actively identifying and onboarding new team members dedicated to enhancing our support and ensuring a smoother experience for all users.
Thank you for your continued support and patience.
Best regards,
The FreeBitco.in Team
Why do you remain silent regarding the wagering contest winners that had funds stolen? And is TheQuin's departure related to these stolen funds? |
|
|
|
|
TheQuin's silence is nothing short of incriminating.
|
|
|
|
Your all FUCKING insane fuck theses assholes they stole my fucking 500 you fucking pieces of shit fucking acknowledge me you shit heads
...why don’t you go ahead and create a proper thread for it rather than to come to their Ann thread - shouting curses at them. View last topic started by this person. https://bitcointalk.org/index.php?topic=5495091.msg64023902#msg64023902 |
|
|
|
|
freebitco.in if you are not responsible for our lost funds then say it.
Don't be silent. Say something. Anything.
We need truth and certainty.
|
|
|
|
Cross Site Scripting (XSS)OverviewCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. Reflected XSS AttacksReflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site... Stored XSS AttacksStored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS. Blind Cross-site ScriptingBlind Cross-site Scripting is a form of persistent XSS. It generally occurs when the attacker’s payload saved on the server and reflected back to the victim from the backend application. For example in feedback forms, an attacker can submit the malicious payload using the form, and once the backend user/admin of the application will open the attacker’s submitted form via the backend application, the attacker’s payload will get executed. Source: https://owasp.org/www-community/attacks/xss/Further reading: https://owasp.org/www-community/Types_of_Cross-Site_Scripting
|
|
|
|
|
I have no extensions on my fbtc device.
You cannot install chrome extensions on the chrome browser on android.
I really do appreciate your input.
Discussion is always healthy and can sometimes provide insight to a difficult problem.
|
|
|
|
The only thing we seem to have in common is that our USER IDs were visible on the fbtc site. For example the daily jackpot leaderboard and the wagering and referral contest leaderboards. I have no browser extensions, system is updated daily and avast reports no issues. The attacker claimed he used a known xss vulnerability to steal our funds. Deposit and withdrawal addresses were manipulated among other things. Fbtc knew or should have known about unpatched xss security vulnerabilities. Bugbounty lists some of these unpatched security vulnerabilities: https://www.openbugbounty.org/reports/domain/freebitco.in/Here is an example of the injected malicious code used during the second wave of attacks: https://pastebin.ai/eo0q78pbuj |
|
|
|
|
People are free to speculate as they wish.
Is it possible TheQuin stole our wagering contest prizes?
TheQuin hasn't responded to any of us. Our private messages ignored by him.
Maybe that's why they are looking for new staff?
This was a targeted attack on the high-rollers and wagering contest winners.
Why were only the wagering contest winners targeted?
And perhaps the email backlog was caused by an SMTP DDoS attack by a disgruntled victim or staff
How can the PR account acknowledge the email issue yet ignore the stolen funds. Why be silent on this
I have no options. No response from support. TheQuin ignores us.
I am left with nothing other than to post a scam accusation.
I will delay this only another week or two.
I'm all out of options.
I've been using fbtc for over six years. Never had a problem until my funds were stolen.
|
|
|
|
2024-06-02 why was there no daily jackpot winner?
I am not sure, but I think that the date in the first row of the table should be 2024-06-02 and that's wrongly displayed. We are still on June 3 and the winner of the daily jackpot for this day is yet to be determined. That makes sense. Does it display correctly in your browser? |
|
|
|
2024-06-02 why was there no daily jackpot winner?  |
|
|
|
|
I have been trying to enable 2FA, but I'm not receiving the verification email.
I'm receiving promotion and payment email without issue..
|
|
|
|
|
When I was a young boy I would love to visit the local shows. I was particularly fond of the showbags, and the amusements you'd find down sideshow alley.
There were always so many different stalls and prizes you could win.
You could roll a ball into a clown’s mouth, shoot metal ducks with an air rifle, throw hoops, drop coins into a pusher or maybe just purchase a ticket for a chance to win a large stuffed toy.
I recall walking past one such stall where you could buy a ticket for a chance to win a large stuffed toy. There were big bears and monkeys and giraffes, all manner of large furry animals.
I noticed one man buying a lot of tickets and winning all the biggest and best prizes. His arms already so full of large stuffed toys. Surely he couldn't hold another prize!
Everyone seemed captivated by his good fortune and were busy buying tickets hoping to share in his luck.
When this lucky man couldn't possibly hold another furry toy he began to walk away.
I don't know why, but I decided to follow him to see where he went. I followed him for a few minutes before he ducked behind one of the other stalls. I kept watching him as he made his way back up behind the same stall where he'd won all the furry toys. He loaded all the large stuffed animals back into the rear of the trailer and disappeared inside.
Everything is not always as it seems.
|
|
|
|
|
The daily jackpot is gone?
The contest is no longer running?
Code maintenance?
And now it's back...
|
|
|
|
|
No response from support.
This issue impacted a handful of wagering contest winners. As far as we know.
Malicious scripts gone (cashtravel js).
Attacker's website down (bitwrecken.com).
Complicit accounts disappeared (feleryunfbc: github, jsdelivr).
Evidence vanished.
We know the truth.
What happened can happen again. To us. To others.
Since the attack, I have made a successful withdrawal.
For now, I intend to withdraw everything. No wagering. No deposits.
Confidence remains low.
|
|
|
|
You're kidding me, right?
...
It's not about email.
I agree. BlackHatCoiner on signature campaigns: ...
Overall, this forum incentivizes quality posting, even though it might encourage shitposting sometimes.
Some members buy these high ranking accounts to run signature campaigns. I believe in you. |
|
|
|
That rogue jquery cdn include is some serious obfuscation. It doesn't look like that one is easy to unobfuscate, It is an enormous function built by lots of mini functions referencing memory addresses, very hard to follow. It would take me hours to decipher all that.
It's gone! |
|
|
|
It seems to me the freebitco.in's backend works as it should but somebody found a way to inject a script on the front-end of the app and it manipulates the DOM and tricks you into doing the shit you shouldn't be doing.
Like: "You are hacked, send x amount of btc to this adress to get unhacked"
In reality, you weren't hacked at all. It is just what this script kiddie wants you to believe. Regardless of that, it should be handled asap.
Is it possible to solve this with manually putting some scripts in developers' console? Sorry if it's a dumb question, I am not a developer. No you can't do anything like that and it looks like my assumption was half-true half-wrong, the attacker is able send withdrawal requests to the server according to codergeek. ...
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address. The same thing happened to Legendary member BayAreaCoins. That case is opened here: https://bitcointalk.org/index.php?topic=5495097.msg64024210#msg64024210 |
|
|
|
|
