Hack Into BitDice And Get 1BTC!

[SparkedDev]

1.4 million passwords attempted to gain access to your site...

Looks secure to me!

Few issues I did find will be submitted via email for security reasons.

Ps when posting something online saying come hack us.. that in my eyes sends the wrong signals.

You should of done this via bug crowd don't be surprised if you find hackers poking about your server.. seems you don't even use cloudflare to hide the IP.. and with multiple servers and ports open.. expect some people to try other tactics as you boast about "how secure" you are..

I was having the same thought about this, put a target on your site and you can't be to sure whats coming.

[UGMZ]

1.4 million passwords attempted to gain access to your site...

Looks secure to me!

Few issues I did find will be submitted via email for security reasons.

Ps when posting something online saying come hack us.. that in my eyes sends the wrong signals.

You should of done this via bug crowd don't be surprised if you find hackers poking about your server.. seems you don't even use cloudflare to hide the IP.. and with multiple servers and ports open.. expect some people to try other tactics as you boast about "how secure" you are..

I was having the same thought about this, put a target on your site and you can't be to sure whats coming.

One wrong move, One xss vuln, some mis-configured backend DB or service including ssh and you could be regretting posting this and challenging people,

Further to this I would of specified the scope for people to attempt. From what I see you have not said anywhere about people attempting other ways to gain access to the site or specifically that account. I'm sure by now you must be seeing lots of traffic towards all points in the site, You should no doubt be able to see from the panel.

I would reword this to exclude types of hacking against your servers and processes.

I did find one or two issues but as I said these will be disclosed to the site only (nothing serious)

[fiscorcle]

Hey guys,

Whole thing was to prove default settings. As I've mentioned it in the first post, I did not set any additional security settings. This is security by default, which each user gets after registration. You can lower it, if you feel comfortable, or increase. It's up to you. But by default you should be as safe as your email provider.

Regarding security problems with email, your account still can be safe even if your email has been compromised. Just set 2FA. You can also set IP address lock, or withdrawal address lock. We provide as many options as you can possibly use.

Regards,
Alex

But if a hacker had hacked the email and he has the password to the account can't he just reset the withdrawal address and the IP address? Or by 2FA you mean other thing than email? I'm sorry if my question was a stupid one, I'm new to this thing.

They also have a 2FA option to use your phone as 2FA with Google Authenticator or similar. This is probably an even more secure method than email as they would have to have access to your phone in order to get the 2FA code.

2FA is more secure way that's why you need to be carefull.
When and if you enable it, you MUST store somewhere your 16-digit code/key.
If you don't and you loose your devise, you are in a black hole...

Yeah, especially if it's for your e-mail, which as the 2-FA keys for the rest of your account, who would do something like that?

*looks around*

But seriously, always print out/write down your backup keys. ALWAYS!

[UGMZ]

https://s27.postimg.org/6l13999f7/Lock.png

Found this big lock page while I was having a poke.

Thats one hell of a padlock!

Might want to remove the following from the source of that svg files

Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)

Gives potential attackers clues Versions numbers ect.

Also visiting this link  https://www.bitdice.me/password/  shows a text box saying

So I attempted this

https://www.bitdice.me/password/email/

I was then presented with the Change password box.. Yet I was not logged in as user.....

"If we have this email in our database, you will receive information on how to reset your password within a minute."

Fuzzing the data between the browser and server I'm sure there could be some way of "editing" the  contact@bitdice.me email

Either way. I don't think that message should be showing for a non registered user by visiting that link.

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

Either way.. U need to check the links.. that is not "good" admin having boxes popping up could lead to XSS.

Further to this you should obfuscate the code linking to Sentury..   PS check your email contact@bitdice.com for the sentruy reset link I managed to send you....

Code:

Recover Account

We have sent an email to the address registered with this account containing further instructions to reset your password.

[shulio]

Either way. I don't think that message should be showing for a non registered user by visiting that link.

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

Either way.. U need to check the links.. that is not "good" admin having boxes popping up could lead to XSS.

Further to this you should obfuscate the code linking to Sentury..   PS check your email contact@bitdice.com for the sentruy reset link I managed to send you....

Code:

Recover Account

We have sent an email to the address registered with this account containing further instructions to reset your password.

Well the reason that they made this is for the user to find the exploit. The higher the bounty the more people will actually try to get it and finally someone made a solid achievement , atleast for now it sheds some light here and if you actually ended up getting the 1btc then they could be able to fix the hole that you made through

[arwin100]

Found this big lock page while I was having a poke.

Thats one hell of a padlock!

Might want to remove the following from the source of that svg files

Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)

Gives potential attackers clues Versions numbers ect.

Also visiting this link  https://www.bitdice.me/password/  shows a text box saying

So I attempted this

https://www.bitdice.me/password/email/

I was then presented with the Change password box.. Yet I was not logged in as user.....

"If we have this email in our database, you will receive information on how to reset your password within a minute."

Fuzzing the data between the browser and server I'm sure there could be some way of "editing" the  contact@bitdice.me email

Either way. I don't think that message should be showing for a non registered user by visiting that link.

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

Either way.. U need to check the links.. that is not "good" admin having boxes popping up could lead to XSS.

Further to this you should obfuscate the code linking to Sentury..   PS check your email contact@bitdice.com for the sentruy reset link I managed to send you....

Code:

Recover Account

We have sent an email to the address registered with this account containing further instructions to reset your password.

amazing. You truly got a skills of a hacker. What if there is no 1btc? what if they make this event to generate more traffic. For example they can collect people to play there game for its security, that's why they make this event. Yes, people will first find the security of the site. So that there profits will not be hacked or stolen. Anyways Good Luck on pentesting that site Wish you luck. Just reply in this thread for your progress. So that we can manage to follow how you hacked there site.

[Oilacris]

Found this big lock page while I was having a poke.

Thats one hell of a padlock!

Might want to remove the following from the source of that svg files

Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)

Gives potential attackers clues Versions numbers ect.

Also visiting this link  https://www.bitdice.me/password/  shows a text box saying

So I attempted this

https://www.bitdice.me/password/email/

I was then presented with the Change password box.. Yet I was not logged in as user.....

"If we have this email in our database, you will receive information on how to reset your password within a minute."

Fuzzing the data between the browser and server I'm sure there could be some way of "editing" the  contact@bitdice.me email

Either way. I don't think that message should be showing for a non registered user by visiting that link.

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

Either way.. U need to check the links.. that is not "good" admin having boxes popping up could lead to XSS.

Further to this you should obfuscate the code linking to Sentury..   PS check your email contact@bitdice.com for the sentruy reset link I managed to send you....

Code:

Recover Account

We have sent an email to the address registered with this account containing further instructions to reset your password.

amazing. You truly got a skills of a hacker. What if there is no 1btc? what if they make this event to generate more traffic. For example they can collect people to play there game for its security, that's why they make this event. Yes, people will first find the security of the site. So that there profits will not be hacked or stolen. Anyways Good Luck on pentesting that site Wish you luck. Just reply in this thread for your progress. So that we can manage to follow how you hacked there site.

Finally there some member who made some move regarding on this event which is really great showing some excellent skills on hacking bitdice website. I would love to hear about the opinion of the owner regarding on this matter.Im sure that there is a 1btc bounty on the account and admin wont say a thing if he dont mean it.

[TooMainstream]

Well, even without all the machinisms Ive been able myself to request the forgotten password stuff, I simply clicked on forgotten password.
What I'm saying is: if someone is able to access the actual email and get in, if you can then you are all set.

[Betwrong]

~

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

~

That sounds intriguing. I'm definitely going to visit this thread 24 hrs later. Although I'm far from being good at coding I hope I'm not wrong about general principles: no matter how good your security is, there's always a way to hack you, it just takes time and skills.

[shulio]

Well, even without all the machinisms Ive been able myself to request the forgotten password stuff, I simply clicked on forgotten password.
What I'm saying is: if someone is able to access the actual email and get in, if you can then you are all set.

Thats the point of it and for now he might be the closest one that actually could get this "far" however if he doesnt then atleast he sheds sme light that the page shouldnt be accesable like that. Well we shall see how far he get through in 24 hours as he has stated however Im pretty convinced that it might take more than that

[TooMainstream]

That because he needs to bypass the possible password he may find or security he may find once he's in.

[UGMZ]

Well its getting close to the 24 hrs since I posted, Being the holidays I have been partaking in the traditional whiskey & food and building toys that santa left for the kids!

So I will change my prediction to 7 days.

I have been running multiple scans on the site and there are a few admin errors that should be addressed which I will report back to the site once I have a full report for them.

I also am thinking there email is hosted else where down to the fact that there dose not seems to be any "mail" protocols running on the server which would mean that the mail is hosted elsewhere.

I shall keep you all informed and up to date as I progress through this task!

Merry Xmas!

[zef316]

Now a days i am much afraid to try the new websites like this with such offer as recently i have joined the site like this which was seems good but after joining all of my accounts data was stolen and the all money in my accounts have been gone. So i want to see users review regarding this to clear my mind.

[BoXXoB]

Now a days i am much afraid to try the new websites like this with such offer as recently i have joined the site like this which was seems good but after joining all of my accounts data was stolen and the all money in my accounts have been gone. So i want to see users review regarding this to clear my mind.

Do you mean on some OTHER site your money was stolen or on this particular site? Can't seem to understand what you mean there. Please clarify it a bit

[UGMZ]

Nothing is "impossible" to hack!   Just look at some of the things that were hacked in 2016

The NSA - lost malware files to hackers.
Hacking Team - Massive malware company who made malware for governments (Pwnd! all source code and over 100,000 emails leaked on wikileaks)
TalkTalk - Lost 1000's of customers bank details and full contact info (UK telecoms company!)
World Anti-Doping Agency, whose break-in exposed medical records of U.S. Olympians Simone Biles and the Williams sisters.
Yahoo - Lost nearly a BIlLION email address and passwords..


And your telling me you think a dice game is "impossible to hack"

The Lulz are pouring out of me right now!

[BlockEye]

i think it impossible to hack it

Lol. It is just impossible for normal person that don't have any programming/ hacking skills. All security on the web is hackable because there is always a loophole in every security that is why bitdice doing this security check just like google. Maybe if they increase their rate, some professional hacker will be interested because 1btc is just a penny for hacking job for security like this. Obviously it needs time to breach the security. 

[leepfrog]

i think it impossible to hack it

Famous last words. NOTHING is impossible to hack. If you can build it you can break it/hack it. Would I tell you for a tiny one btc, lol drip drip drip drip drip and booom is what most would do.

[UGMZ]

Seems they have some rather tight server side security!
I won't tell many details but lets just say its a lot like bitcoin - decentralized

Thats not to say a small "pivot" inside the network could be what is need.
I would say there account security is tight. Few java errors things not defined but apart from that its very secure!

I would give this site a hight 9.5 / 10 they have implimented a strong set of protocols to protect users and there backend servers!

Good work guys! 

I doubt anyone's getting that 1BTC anytime soon unless they use social engineering against the admin then its going to be a tough one and take a lot of time and research!

https://s24.postimg.org/5bohw5c8l/Site.png

[Bestwishes745]

Now a days i am much afraid to try the new websites like this with such offer as recently i have joined the site like this which was seems good but after joining all of my accounts data was stolen and the all money in my accounts have been gone. So i want to see users review regarding this to clear my mind.

Do you mean on some OTHER site your money was stolen or on this particular site? Can't seem to understand what you mean there. Please clarify it a bit

From his post I understood that he is telling about any other site where he joined but lost his account due to hack attack. By the way from this thread everyone know that bitdice is more secure even if you give access to your account to anyone he will not be able to login from his device.

[Superways]

Now a days i am much afraid to try the new websites like this with such offer as recently i have joined the site like this which was seems good but after joining all of my accounts data was stolen and the all money in my accounts have been gone. So i want to see users review regarding this to clear my mind.

Do you mean on some OTHER site your money was stolen or on this particular site? Can't seem to understand what you mean there. Please clarify it a bit

From his post I understood that he is telling about any other site where he joined but lost his account due to hack attack. By the way from this thread everyone know that bitdice is more secure even if you give access to your account to anyone he will not be able to login from his device.

But after login attempt the site send the details for to get access to the site through the email so it means that if a person get access to the email address on which the owner is registered then the hacker will be able to hack the account easily. Can you tell who will be responsible for that?