|
pthnmj (OP)
|
 |
July 06, 2013, 08:11:11 AM |
|
Okay so apparently if people don't reap benefits, or are able to do what you did a couple days before you say anything, it must not exist and be complete bullshit.
My Story:
I recently reported a bug via a bitcoin dice website, which I will not disclose without consent of the owner, and was able to log in, and bet on their account essentially without being actually knowing of their address, or password which is done by the cookie that is unencrypted, and the server never checks to verify the cookie. It only assumed the cookie was a success
Exmaple: UserID 235523 was sucessfully loggedin from address: F123DAFDAv09c8vasf, and UserID is changed to 4324, and the server when refreshed with that cookie stored passes it by and lets you set up on the account 4324... Recently reporting it earned me a little amount of bitcoin, which could have been more but no matter :-)
The exploit allowed me to:
-Bet Under the User
-Cash Out (To the User's address which was smart by the owner not to have the address be part of a cookie, or address changeable by the user)
-Change the Password of the user
Now how do I know that betting worked?
A- The Live Stream (Bets are shown) clearly showed "User:XXXXX" Bet : xXXXXXXXX, and I saw the balance after I bet which cleared to be in check
B- The balance was, as stated in the statement above cleared to be check
So I ask, what happened to the trust anymore?
If something doesn't go your way, and sounds too "Good" to be true, or you never did it before yourself, it's complete bullshit?
Part of me wants to quit Bitcoin because of the immaturity, but part of me stats for the anonymity
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Unlike traditional banking where clients have only a few account numbers, with Bitcoin people can create an unlimited number of accounts (addresses). This can be used to easily track payments, and it improves anonymity.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
Stephen Gornick
Legendary
 Offline
Activity: 2506
Merit: 1010
|
|
July 06, 2013, 09:33:39 AM |
|
Part of me wants to quit Bitcoin because of the immaturity,
1995: I'm buying a new television so I searched on Inktomi for "TV Set ratings" and it sent me to Nielsen (show ratings). Stupid internet, ... my search term included "TV Set". Part of me wants to quit Internet because of the immaturity. |
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
July 06, 2013, 09:39:54 AM |
|
So I ask, what happened to the trust anymore?
If something doesn't go your way, and sounds too "Good" to be true, or you never did it before yourself, it's complete bullshit?
So, you assert that you found a security issue with some site and they refuse to acknowledge it? So, ... give them a reasonable time to fix it, then publish an alert here (with some info of where the vulnerability lies, or how the exploit works), if it doesn't get fixed. |
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
July 06, 2013, 03:50:41 PM |
|
So I ask, what happened to the trust anymore?
If something doesn't go your way, and sounds too "Good" to be true, or you never did it before yourself, it's complete bullshit?
So, you assert that you found a security issue with some site and they refuse to acknowledge it? So, ... give them a reasonable time to fix it, then publish an alert here (with some info of where the vulnerability lies, or how the exploit works), if it doesn't get fixed. It worked so well last time with InstaWallet, let's do it again. If I recall with IW, there was an exploit issue of which a Bitcoiner was kind enough to reveal. Red flags were raised. The owners dismissed the findings. Then calm. Then poof! I like Eric, so I hope this is not his site that is being inferred to. Then again, I admired IW, albeit to a lesser degree, and look at how at least one of their owners treated me. Let's hope that whatever needs fixin' gets fixed. |
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
July 08, 2013, 07:33:54 PM |
|
I like Eric, so I hope this is not his site that is being inferred to.
Well, SD doesn't use web access for wagering. The report was for a competing site, apparently: I found a recent exploit (Not to scare anybody, because it is fix with my help of reporting it  And got compensated <3 tHanks PrimeDice) |
|
|
|
CryptoLover
Newbie
Offline
Activity: 24
Merit: 0
|
|
July 09, 2013, 01:37:58 AM |
|
Part of me wants to quit Bitcoin because of the immaturity,
1995: I'm buying a new television so I searched on Inktomi for "TV Set ratings" and it sent me to Nielsen (show ratings). Stupid internet, ... my search term included "TV Set". Part of me wants to quit Internet because of the immaturity. LOL! |
|
|
|
|
Dabs
Legendary
Offline
Activity: 3416
Merit: 1912
The Concierge of Crypto
|
|
July 09, 2013, 02:08:16 AM |
|
There are only three competing dice sites: Coinroll, PrimeDice and Just-Dice. They are all off-the-blockchain, so they required "accounts" of some sort, whether that is by payout address, or a cookie, or a traditional user / password. Some even have 2 factor auth using Google Auth.
Well, there are other block-chain based competitors, like Dice on Crack, and Suzuki Dice, but they don't need "accounts".
|
|
|
|
|
PrintMule
|
|
July 09, 2013, 02:32:33 AM |
|
This is so old news
It was the first thing I tried after playing my freebie at that dice, to log in other people's accounts. And while you can make some bets to fuck with someone, no one will keep btc on their accounts longer than needed for betting.
|
|
|
|
|
