MagicalDice - Need beta testing [Bounty for bugs]

[lyco]

troubleshooting target: fountain (for abuse potential)
exploit found: captcha bypass assuming 0 balance

with any of the three adblock extensions enabled, captcha is checked after simply clicking (no selecting images) so long as balance is 0 - this enables me to use autokey (autohotkey on windows) to continually through automated click-events, claim 500 satoshi and bet it at an absurd multiplier until i essentially steal 55k satoshi by recording a few mouse click events and retiring to the opium den until autokey alerts me that i've succeeded in ripping off your fountain.

https://i.imgur.com/NtI5OnC.png

(difficult to take a screen of something NOT happening, but all i have to do is click the human verification and it accepts as if i had completed a captcha, then allows me to claim)

note that once the balance is over 0 the captcha modal window does appear and does not award additional coin upon completion. it simply allows for an automation scheme if the user bets all 500 satoshi at 1% odds / 99x multiplier.

software tech specs: debian-ish linux running chromium/webkit-based browser using stock adblock plus extension out of chrome app store

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

[1715015739]

1715015739

[1715015739]

1715015739

[1715015739]

1715015739

[1715015739]

1715015739

[cryptasm]

50% bet pays out WAY less than 50% of the time, based on 100 rolls

that comes from the houseedge I am sure or if you mean something else please be more detailed=)

[cryptasm]

troubleshooting target: fountain (for abuse potential)
exploit found: captcha bypass assuming 0 balance

with any of the three adblock extensions enabled, captcha is checked after simply clicking (no selecting images) so long as balance is 0 - this enables me to use autokey (autohotkey on windows) to continually through automated click-events, claim 500 satoshi and bet it at an absurd multiplier until i essentially steal 55k satoshi by recording a few mouse click events and retiring to the opium den until autokey alerts me that i've succeeded in ripping off your fountain.



(difficult to take a screen of something NOT happening, but all i have to do is click the human verification and it accepts as if i had completed a captcha, then allows me to claim)

note that once the balance is over 0 the captcha modal window does appear and does not award additional coin upon completion. it simply allows for an automation scheme if the user bets all 500 satoshi at 1% odds / 99x multiplier.

software tech specs: debian-ish linux running chromium/webkit-based browser using stock adblock plus extension out of chrome app store

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

Ok waiting for the dev to check it

[lyco]

troubleshooting target: host filesystem data
issue found: redundant local cookies

upon modification, the cookies user_name and user_password simply duplicate themselves on next visit, surely on order of the PHPSESSID.

https://i.imgur.com/bR8Av9g.png

https://i.imgur.com/SCDrcBU.png



ideally this should be the only client-side cookie necessary (that containing the php session id):


https://i.imgur.com/z0f4xpO.png


i was unable to identify the hash algorithm used to generate the value stored in user_password but it is 40 characters long which leads me to believe it's not a fixed compression. unless the function is an original - as opposed to a publicly-known algorithm or the use of two one-way cryptographic hash functions - i have no doubt that a malicious person would be able to, after pulling the data from a compromised client-side filesystem, use typical brute-force methods to reverse-encrypt-and-match the password.

if done on a large scale, through the use of something like a freely-downloaded "bot for magicaldice.com" piece of sh't or whatever, or through the use of range-control virus/worm infection (targets selected through the likeliness that they are members of magicaldice) then of course this means the unethical a-hole engineer behind the attack would be able to log in as and empty the wallets of any user either a) simple enough to run microsoft windows as an operating system b) stupid enough to run a binary file on their personal computer without access to the source.

while i can't imagine the necessity for either of these cookies, if there is for them in fact a use, then i would recommend renaming both of them to less-obvious targets for a thief, and using a one-way encryption on the value of user_name as well (it is currently simply the unmodified username).

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

[lyco]

non-urgent gui issue: private message modal doesn't disappear after message is sent. if this is intentional, the value of the message textbox should reset to blank after a message is sent (see a few messages up, "..it's HUGE trouble, man can you..." was sent twice && as you can see the text of a sent message remains in the modal in the screengrab after it is sent and appears in chat):

https://i.imgur.com/RW493Yu.png

ok!

- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

[ndnh]

troubleshooting target: fountain (for abuse potential)
exploit found: captcha bypass assuming 0 balance

with any of the three adblock extensions enabled, captcha is checked after simply clicking (no selecting images) so long as balance is 0 - this enables me to use autokey (autohotkey on windows) to continually through automated click-events, claim 500 satoshi and bet it at an absurd multiplier until i essentially steal 55k satoshi by recording a few mouse click events and retiring to the opium den until autokey alerts me that i've succeeded in ripping off your fountain.



(difficult to take a screen of something NOT happening, but all i have to do is click the human verification and it accepts as if i had completed a captcha, then allows me to claim)

note that once the balance is over 0 the captcha modal window does appear and does not award additional coin upon completion. it simply allows for an automation scheme if the user bets all 500 satoshi at 1% odds / 99x multiplier.

software tech specs: debian-ish linux running chromium/webkit-based browser using stock adblock plus extension out of chrome app store

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

That is with reCaptcha. That is completely not related to the site. 

[lyco]

troubleshooting target: fountain (for abuse potential)
exploit found: captcha bypass assuming 0 balance

with any of the three adblock extensions enabled, captcha is checked after simply clicking (no selecting images) so long as balance is 0 - this enables me to use autokey (autohotkey on windows) to continually through automated click-events, claim 500 satoshi and bet it at an absurd multiplier until i essentially steal 55k satoshi by recording a few mouse click events and retiring to the opium den until autokey alerts me that i've succeeded in ripping off your fountain.

https://i.imgur.com/NtI5OnC.png

(difficult to take a screen of something NOT happening, but all i have to do is click the human verification and it accepts as if i had completed a captcha, then allows me to claim)

note that once the balance is over 0 the captcha modal window does appear and does not award additional coin upon completion. it simply allows for an automation scheme if the user bets all 500 satoshi at 1% odds / 99x multiplier.

software tech specs: debian-ish linux running chromium/webkit-based browser using stock adblock plus extension out of chrome app store

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

That is with reCaptcha. That is completely not related to the site.  

Oh wow, this is necessary? Ok:

While aware that a third-party captcha service is being used, the site's design to award 500 satoshi to anyone with a balance of 0 presents a unique risk.

Since the third-party service is in fact very much related to the site, and the exploit cannot happen without the site's design in relation to the captcha service's problem, we are left with two options:

1) Do something to make sure nobody's using this exploit.
2) Tell Lyco that this is an issue "completely not related to this site" and make him write this, then do #1 anyway.

ok!

- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

[someguy123]

troubleshooting target: fountain (for abuse potential)
exploit found: captcha bypass assuming 0 balance

with any of the three adblock extensions enabled, captcha is checked after simply clicking (no selecting images) so long as balance is 0 - this enables me to use autokey (autohotkey on windows) to continually through automated click-events, claim 500 satoshi and bet it at an absurd multiplier until i essentially steal 55k satoshi by recording a few mouse click events and retiring to the opium den until autokey alerts me that i've succeeded in ripping off your fountain.



(difficult to take a screen of something NOT happening, but all i have to do is click the human verification and it accepts as if i had completed a captcha, then allows me to claim)

note that once the balance is over 0 the captcha modal window does appear and does not award additional coin upon completion. it simply allows for an automation scheme if the user bets all 500 satoshi at 1% odds / 99x multiplier.

software tech specs: debian-ish linux running chromium/webkit-based browser using stock adblock plus extension out of chrome app store

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

That is with reCaptcha. That is completely not related to the site.  

Oh wow, this is necessary? Ok:

While aware that a third-party captcha service is being used, the site's design to award 500 satoshi to anyone with a balance of 0 presents a unique risk.

Since the third-party service is in fact very much related to the site, and the exploit cannot happen without the site's design in relation to the captcha service's problem, we are left with two options:

1) Do something to make sure nobody's using this exploit.
2) Tell Lyco that this is an issue "completely not related to this site" and make him write this, then do #1 anyway.

ok!

- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

This is because of Google linking you to your google account. Honestly you can't do much with that anyway. You can't withdraw those 500 satoshis, and if you can't get more until your balance hits 0, then it's not exactly helping you any more than an annoying full validation captcha would.

[someguy123]

non-urgent gui issue: private message modal doesn't disappear after message is sent. if this is intentional, the value of the message textbox should reset to blank after a message is sent (see a few messages up, "..it's HUGE trouble, man can you..." was sent twice && as you can see the text of a sent message remains in the modal in the screengrab after it is sent and appears in chat):



ok!

- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

Fixed.

[lyco]

troubleshooting target: fountain (for abuse potential)
exploit found: captcha bypass assuming 0 balance

with any of the three adblock extensions enabled, captcha is checked after simply clicking (no selecting images) so long as balance is 0 - this enables me to use autokey (autohotkey on windows) to continually through automated click-events, claim 500 satoshi and bet it at an absurd multiplier until i essentially steal 55k satoshi by recording a few mouse click events and retiring to the opium den until autokey alerts me that i've succeeded in ripping off your fountain.

https://i.imgur.com/NtI5OnC.png

(difficult to take a screen of something NOT happening, but all i have to do is click the human verification and it accepts as if i had completed a captcha, then allows me to claim)

note that once the balance is over 0 the captcha modal window does appear and does not award additional coin upon completion. it simply allows for an automation scheme if the user bets all 500 satoshi at 1% odds / 99x multiplier.

software tech specs: debian-ish linux running chromium/webkit-based browser using stock adblock plus extension out of chrome app store

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

That is with reCaptcha. That is completely not related to the site.  

Oh wow, this is necessary? Ok:

While aware that a third-party captcha service is being used, the site's design to award 500 satoshi to anyone with a balance of 0 presents a unique risk.

Since the third-party service is in fact very much related to the site, and the exploit cannot happen without the site's design in relation to the captcha service's problem, we are left with two options:

1) Do something to make sure nobody's using this exploit.
2) Tell Lyco that this is an issue "completely not related to this site" and make him write this, then do #1 anyway.

ok!

- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

This is because of Google linking you to your google account. Honestly you can't do much with that anyway. You can't withdraw those 500 satoshis, and if you can't get more until your balance hits 0, then it's not exactly helping you any more than an annoying full validation captcha would.

my preliminary model of a malciious person's autokey script is set to claim the fountain's 500 satoshi then bet it at 1% until it wins twice in a row.

this would total 0.04900500 BTC.

it can complete the first bet around 6 times per minute - though i estimate that rate could be near doubled on a dedicated machine - and a malicious person's otherwise-idle laptop(s) -- not a malicious person, but simply their otherwise-idle laptop -- could run it all day, every day, for as long as you guys are online.

with no offense meant whatsoever, i honestly cannot tell if you simply don't understand the severity of this exploit, or if rather you think that the exploit's ingenuity renders it too unlikely to pose a threat, or if you simply don't want to acknowledge my work in order to avoid paying bounty. regardless, i signed on to answer a distress call & take an opportunity to ethically utilize my expertise in the field, and i simply don't do half-ass jobs. you have a very serious exploit that involves an opportunity for a determined person to take money directly from your organization with no consequences, and i'm the one who noticed it, so it's my obligation to do this:


proposed methods of prevention

intended to stop the exploit before it has time to yield results:

method 01: put a time restriction on fountain queries.
detail: the most efficient implementation of this theory starts with a 15 second clock and doubles the countdown timer length every time a claim is made in less than double the current countdown time.
advantages: completely disable the exploit
disadvantages: threaded timer processes could stress resources or even allow for a special type of organized attack - the odds of this are close to negligible, and the consequences would simply be a slowdown in the site's performance or at theoretical worst a bandwidth overload.

method 02: periodically scan for 500 satoshi bets at odds percentages under 05.
detail: every 15 minutes, scan the bet database's appended entries for bets that meet these criteria: a) amount is less than 501 satoshi b) odds are equal to or below 5% - next the results matching criteria a & b count the userid column for repeats. any user appearing in the result list over 50 times (arrived at this figure assuming ~3 to 4 bets per minute) is flagged as using the exploit then dealt with accordingly (account disabled, either permanently or perhaps for 60 minutes in the case that the criteria leave any room for mistake).
advantages: organization is likely to successfully hide from the exploit indefinitely, and save on computer power usage as compared with that of method one
disadvantages: allows users to run the exploit at a slower speed with no consequences.


i would recommend the first method or a combination of the two over the second method by itself. ignoring the exploit is indeed a third option, but i think my obligation ends just before a blitzkrieg attempt at making sure it's understood how dangerous that is.


let me know if there's anything else/anything i can do to help further/help!.

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

[lyco]

troubleshooting target: betting calculations
issue found: discrepancy between multiplier/odds depending on which one user submits

for example, while entering 49.50 as my odds should yield a multiplier of 2.0, it yields 2.00020, & pays me, as demonstrated here (see most recent two bets):

https://i.imgur.com/2Ifa1fh.png

a minor issue in the wildly-short term, but likely easily-fixable.

ok!

- Lyco / "lyco" on magicaldice now as i apparently forgot "harlequence" password
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

[Kuz3451]

Hey, I am liking this website - seems pretty stable. When testing it this morning I only came across 2 bugs which need to be fixed:

1. Max bet limit [FIXED BY KALE]

When betting through the website the max accumulated profit is 5 BTC if you put the wager and profit together. For example, if you try betting over 2.5 BTC on the x2 multiplier you get this error:

https://i.imgur.com/SNOR7mr.png

However when I dug deeper into the code, I noticed this check was being done client sided in both of the roll button event handlers.
So what I did instead was made a PHP script which contacted the server directly to make the bet, where the wager itself was over 5 BTC. This ended up going through successfully:

https://i.imgur.com/GwBTkIj.png



2. Autopilot Bug

When testing out the increment feature on autopilot I noticed another unusual occurrence. I set the start bet to 0.01 BTC and on loss told it to increase by 100%; after a few runs on this setting, I noticed autopilot bet the same amount on win twice after it lost the initial 0.01 bet. (Autopilot also lagged a couple of times, which may of caused this to happen)

https://i.imgur.com/MTSzTxs.png


That's all from me
 

[lyco]

Hey, I am liking this website - seems pretty stable. When testing it this morning I only came across 2 bugs which need to be fixed:

1. Max bet limit [FIXED BY KALE]

When betting through the website the max accumulated profit is 5 BTC if you put the wager and profit together. For example, if you try betting over 2.5 BTC on the x2 multiplier you get this error:

https://i.imgur.com/SNOR7mr.png

However when I dug deeper into the code, I noticed this check was being done client sided in both of the roll button event handlers.
So what I did instead was made a PHP script which contacted the server directly to make the bet, where the wager itself was over 5 BTC. This ended up going through successfully:

https://i.imgur.com/GwBTkIj.png



2. Autopilot Bug

When testing out the increment feature on autopilot I noticed another unusual occurrence. I set the start bet to 0.01 BTC and on loss told it to increase by 100%; after a few runs on this setting, I noticed autopilot bet the same amount on win twice after it lost the initial 0.01 bet. (Autopilot also lagged a couple of times, which may of caused this to happen)

https://i.imgur.com/MTSzTxs.png


That's all from me
 

clap clap! that php impostor-script exploit is brilliant.

by the by, re issue #2: earlier today another user tried automated betting, and the option to reset to base after a win was defective, betting and losing double once after a win before then resetting to base as the user programmed it to do. i haven't been able to clone that event or any of the other autobet errors, which leads me to believe they're based on latency issues.

[Kuz3451]

@lyco yes I believe so to, that issue has something to do with connectivity as it occurred on a lag. After getting that issue popping up it's been difficult to make it arise again.

[yolanda123]

how long again launcing ?

[jt byte]

Hit me up when i have time i will check if there is any bug in your website, i would be happy to find one

[Stars]

We will be launching in roughly 24h from now!

[everaja]

We will be launching in roughly 24h from now!

Will bounty be distributed for bugs before launch or after launch.
On behalf of all Bug finders i request you to mention the names of the guys who found bugs in OP as your list there is still blank.

Good Luck for the Launch , hope to enjoy.

[someguy123]

Hey Lyco. I'm not sure how your "exploit" is a problem. I just checked, and most other BTC dice site's with a faucet, including PrimeDice, and Rollin.io, uses the exact same captcha, and similar static timer. You can't make another claim within 3 minutes of the previous.

If it's so easy to turn 0.00000500 into 0.049, then why do you need to abuse the faucet anyway? From that 0.049 you could make close to 10,000 500 whole satoshi bets.

I could understand if it was bet>instant claim>bet repeat etc. but you can't do that, you have to wait 3 minutes before you can claim again.

[Kuz3451]

Hey Kuz here with another update. Testing the autopilot system again this morning I seemed to have found another bug, very minor but yea.

With Autopilot if you was to reach the max bet limit during a single run, the max bet limit popup won't display and autopilot would continue to run performing no bets. As you can see in the screenshot below, I set my autopilot to a basebet of 0.1 and lost all the way to 1.6; i can't perform a 3.2 BTC bet as it exceeds the max bet limit of 5 BTC, so in reality I should be getting the max bet limit popup error... but I don't:

https://i.imgur.com/DraYaMM.png


[FIXED BY SOMEGUY123]