BitcoinBetGames.com • FREE BTC • Video Poker • Quincunx • Provably Fair • NEW

[Cruxer]

RHavar thank you for this post, many usefull informations

If you're asking for help, it probably would help if you tell us the report details, otherwise we're flying blind  =)

There was not many details, thats the problem, since this user wanted serious BTC for disclosure of this information. He said there are two security flaws. One severe and one very very severe.
After some talk he gave couple hints. First that this very very severe one is about quincunx predicting coin path. Second one after further talk turned out to be hard to exploit CSRF in one function. We found it right away and its already fixed.
Giving that his one bug report was true, second could be also.

Anyway, only possible way of cheating in quincunx i could think of, would be to know current server seed in non hashed way. For example trivial mistake after reworking provably fair system, one place could be showing current server seed in non hashed way that should be hashed now. Finishing checking this.

dealing with the uncertainty if it was real or legitimate

It is hard, even more since first day design flaw which allowed user to calculate result before game. Ended without any harm, but we check everything twice now.

It's a weekly occurrence that someone brings up a really unusual streak

Yeah statistics is like that, you can have 50% chance for either 1 or 0, and get 1 for twenty times straight. Because of that very often people conclusion is that site is rigged, seen that many times on dice sites.

I saw earlier you had a max win of almost 50 BTC.

Max bet was 0.05 and it was lowered around ~14 hours ago to 0.01 temporary. Our provably fair system need 3rd party verification first, for safety of players and site itself.
It will be raised when we will be 100% sure of our provably fair system.

[1713932497]

1713932497

[1713932497]

1713932497

[1713932497]

1713932497

[VRNBY]

Sorry for my English . You do not even give me 0.5 BTC for responsible disclosure , and would only pay 0.1 BTC . I even gave a serious problem for free , and this is my job to eat.

Now you say you can pay 50 BTC winners per game , but you can not pay me 1 / 100th of it to help your security.

My time is too valueable to be wasted in this and has made it clear for the next person to find it more profitable to abuse your site getting insulted by your tiny bounties

[Cruxer]

Sorry for my English . You do not even give me 0.5 BTC for responsible disclosure , and would only pay 0.1 BTC . I even gave a serious problem for free , and this is my job to eat.

Now you say you can pay 50 BTC winners per game , but you can not pay me 1 / 100th of it to help your security.

My time is too valueable to be wasted in this and has made it clear for the next person to find it more profitable to abuse your site getting insulted by your tiny bounties

Your english is fine. We don't have official bug bounty, but your messages on chat sounded dangerously close to extortion or even blackmail. Give me 1.5 BTC or someone will abuse this bug and you will loose more.
Well how you could treat someone serious after something like that.

[VRNBY]

I just want things to get paid for my work. I am the security researcher it is job not nothing. All other sites gave me money if I found a serious problem. I tell you , several times I will no been abusing it or no will to .

If you can not have 0.5 BTC, then you should say so, I can sell you cheap. But you should not pretend that you can pay 50 BTC to give winners then because it is a lie to offer a prize you will not pay

[Cruxer]

I just want things to get paid for my work. I am the security researcher it is job not nothing. All other sites gave me money if I found a serious problem. I tell you , several times I will no been abusing it or no will to .

If you can not have 0.5 BTC, then you should say so, I can sell you cheap. But you should not pretend that you can pay 50 BTC to give winners then because it is a lie to offer a prize you will not pay

Blackmail failed, we found this bug. In quincunx ajax response. There was commented out not hashed server seed.
We have it documented. Only one user exploited this.
Hackers vs BitcoinBetGames 0:2

[Cruxer]

Rework of provably fair system is now complete
It would be nice to be verified by third party.
We also upgraded our real time chat.

Happy playing!

[Girlscout]

...
Address lookup

canonical name   bitcoinvanitygen.com.
aliases   
addresses   104.27.129.8
104.27.128.8
Domain Whois record

Queried whois.internic.net with "dom BitcoinVanityGen.com"...

   Domain Name: BITCOINVANITYGEN.COM
   Registrar: OVH
   Sponsoring Registrar IANA ID: 433
   Whois Server: whois.ovh.com
   Referral URL: http://www.ovh.com
   Name Server: BRAD.NS.CLOUDFLARE.COM
   Name Server: SANDY.NS.CLOUDFLARE.COM
   Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
   Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
   Updated Date: 29-apr-2015
   Creation Date: 26-mar-2014
   Expiration Date: 26-mar-2016

>>> Last update of whois database: Tue, 28 Jul 2015 07:26:43 GMT <<<
Queried whois.ovh.com with "BitcoinVanityGen.com"...

Domain Name: bitcoinvanitygen.com
Registry Domain ID: 1852143808_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: http://www.ovh.com
Updated Date: 2015-04-29T19:48:18.0Z
Creation Date: 2014-03-26T21:38:13.0Z
Registrar Registration Expiration Date: 2016-03-26T21:38:13.0Z
Registrar: OVH, SAS
Registrar IANA ID: 433
Registrar Abuse Contact Email: abuse@ovh.net
Registrar Abuse Contact Phone: +33.899498765
Domain Status: clientTransferProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Nosalik Remigiusz
Registrant Organization:
Registrant Street: bitcoinvanitygen.com, office #6917528, c/o OwO, BP80157
Registrant City: 59053
Registrant State/Province:
Registrant Postal Code: Roubaix Cedex 1
Registrant Country:  FR
Registrant Phone: +33.899498765
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 1pwjyznfxd4rhcmij32q@e.o-w-o.info
Registry Admin ID:


Domain Name: bitcoinbetgames.com
Registry Domain ID: 1917404004_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ovh.com
Registrar URL: http://www.ovh.com
Updated Date: 2015-04-09T21:27:11.0Z
Creation Date: 2015-04-07T19:42:12.0Z
Registrar Registration Expiration Date: 2016-04-07T19:42:12.0Z
Registrar: OVH, SAS
Registrar IANA ID: 433
Registrar Abuse Contact Email: abuse@ovh.net
Registrar Abuse Contact Phone: +33.899498765
Domain Status: clientTransferProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Nosalik Remigiusz
Registrant Organization: VERSERO
Registrant Street: Opolska 14/11
Registrant City: Jastrzębie Zdrój
Registrant State/Province:
Registrant Postal Code: 44-335
Registrant Country: PL
Registrant Phone: +48.607495744
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ynmawox4ddhtcgwrorpf@c.o-w-o.info
Registry Admin ID:
Admin Name: Nosalik Remigiusz
Admin Organization: VERSERO
Admin Street: Opolska 14/11
Admin City: Jastrzębie Zdrój
Admin State/Province:
Admin Postal Code: 44-335
Admin Country: PL
Admin Phone: +48.607495744
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 7oazbns44x9ywqn87agu@k.o-w-o.info
Registry Tech ID:
Tech Name: Nosalik Remigiusz
Tech Organization: VERSERO
Tech Street: Opolska 14/11
Tech City: Jastrzębie Zdrój
Tech State/Province:
Tech Postal Code: 44-335
Tech Country: PL
Tech Phone: +48.607495744
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 7oazbns44x9ywqn87agu@k.o-w-o.info
Name Server: ns3.bitcoinbetgames.com
Name Server: ns4.bitcoinbetgames.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2015-04-09T23:33:43.0Z


Seems he is also the owner/operator of the shady ass site Bitcoinvanitygen.com that steals peoples coins