(Feel free to quote or link this post in the
LuckyBitcoinCasino.com Thread)
"Hacker" here. In short, I manipulated a game on LuckyBitcoinCasino.com to let me bet coins I didn't actually have. The API for the roulette game accepted negative bets. E.g. I was able to bet 100 coins on black, 100 coins on red and -199 coins on the number 34. This cost me exactly 1 coin, with the likely outcome that I would win 199.
The site also has a number of other security issues that I detailed via the support form to the site's owner, including the "right" way to fix them. So far, they have failed to acknowledge these flaws.
Just as an example, a blatant XSS flaw:
https://www.luckybitcoincasino.com/forgot.php?message=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E(Note that many modern browsers will now actually filter out JS passed via the URL. However, it's a bad idea to rely on this.)
I also noticed a number of SQL injection flaws around the site. The codebase seems to be very inconsistent in what is filtered and what isn't.
tl;dr: contrary to what the author(?) of the site proclaims, there's no such thing as "bug free code".
