monsterer (OP)
Legendary
 Offline
Activity: 1008
Merit: 1000
|
 |
February 07, 2014, 10:51:36 PM |
|
At approximately 11:30am - 12:00pm GMT today, a hacker was able to exploit a security hole in my game and withdraw 0.4 BTC, which was the entire hot-wallet contents.
He withdrew to this address: 16pknxjJF8yhL2iBPmXRw4rcoGhFYmGcoy
Transactions:
288734e41ebde40bfb07227006f27ea256e3a51e90b7388b4335d9c84f3f90e6
441c5f163afe515def15e2eed21c9aac8eed9d8ff3d6142c475342cf154d17ee
52d4cec1e6b5c95be2bc10a4afd665c722498eecd6804cf03e12558cd41846a2
5b1f08f26ec1cdbbdfb00ea7191bd27a2356edf18c376ba7270210b2932a6ef5
652c88def365b22ec3c1be34df410557a1e4f9bd68a1df6617c5f30875ad32c6
90f8d413664fa88791e71e385034d97598e409d04927715f802578bbd7ecf3de
be8ec0d0ca2c8891c004d9f5d691bc4c2b69401490623e3b27aab7a15bf1953f
cdd8f318899c96edaa7fb74a23fd84eb565e26b3f2997d6f8e0db53cc4019cb5
d7a4289a513f55c9b1dfb194134b5d49f1b8b001bf86eb821d604166ff99be8a
f1cf5d32866994843097db6f697c9bc5dc72ce4cdebf6d4cdfdcc0230b87eedb
f44a1d769f2aa0bfb990722f0b6856d242c2a46a50cb26690ad208f546327a46
He used the aliases: 1gld,16p,x,y
His attack was to use negative numbers for the BTC fields when creating a new game in blockchain-reaction, although these were checked for client-side, the server failed to do the correct validation.
I feel pretty stupid since that's an obvious attack and I'm usually really careful with this stuff, but it just slipped under the radar. Obviously this is now fixed.
I have covered this loss from my own personal bitcoin wallet, so no users will be affected.
If you are the attacker and you are reading this, please consider returning these stolen coins, I have a suspicion you are a fellow developer / programmer, so please have a heart.
Cheers, Paul.
|
|
|
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
February 07, 2014, 10:59:53 PM |
|
The hacker won't return the coins. Consider it a $300 education. Had the site been popular it might have been a $300,000 loss. Saying you are really careful and yet failed to do server side validation is an oxymoron. I would recommend learning some unit testing. My guess is you are developing the "core" program and consdering error checking as an add on. For larger and more complex projects this always fails. Grab a couple books on Test driven Development ( http://en.wikipedia.org/wiki/Test-driven_development ). The $300 loss could be worth thousands if it makes you a better developer. |
|
|
|
|
|
Nathonas
|
|
February 08, 2014, 12:26:39 AM |
|
This post made me lol.
First of all, what makes you think this "hacker" reads bitcointalk? And secondly, what makes you think that asking him to return the BTC will do anything?
|
All we have to decide is what to do with the time that is given us.
|
|
|
|
Sonny
|
|
February 08, 2014, 12:43:32 AM |
|
OP, sorry to hear your loss. Well, at least you now find the bug and fix it.  |
|
|
|
|
whtchocla7e
Full Member
Offline
Activity: 392
Merit: 116
Worlds Simplest Cryptocurrency Wallet
|
|
February 08, 2014, 01:13:28 AM
Last edit: February 08, 2014, 03:48:44 AM by whtchocla7e |
|
The hacker did you a favor. You could have lost much more. Consider it a payment for services.
|
▂▂▂▂▂▂▂▂▂▂▂▂▂▃▅▆█ L E A D █▆▅▃▂▂▂▂▂▂▂▂▂▂▂▂
World's Simplest and Safest Decentralized Cryptocurrency Wallet!
▬▬▬▬▬▬▬ • STORE • SEND • SPEND • SWAP • STAKE • ▬▬▬▬▬▬
|
|
|
|
byt411
|
|
February 08, 2014, 01:21:15 AM |
|
So now you learnt a lesson! Check for loopholes and fix them.
|
|
|
|
|
|
dissident
|
|
February 08, 2014, 01:47:40 AM |
|
yep at just .4 BTC I'd consider it payment for services.
|
|
|
|
|
go4nature
Member
Offline
Activity: 70
Merit: 10
|
|
February 08, 2014, 06:05:30 AM |
|
Once it is hacked you cannot recover it. Next be safe use all precautions.
|
|
|
|
|
PBmining
|
|
February 08, 2014, 06:19:38 AM |
|
The hacker did you a favor. You could have lost much more. Consider it a payment for services.
This is exactly my opinion as well. My "lesson" was a lot more expensive and we lost a lot more, but in the end it was a much needed wake-up call. Its best that a breach happens sooner rather than later. Fix the broken pieces and become stronger -- that's all you can do. |
Did you know?: Most of our hash power comes from other sources. We are now specialized in the resale of cloudmining contracts through our associates!
|
|
|
|
RGBKey
|
|
February 08, 2014, 06:41:28 AM |
|
Really sorry to hear that monsterer, your game is great. Hope you recover from this.
|
|
|
|
|
hilariousandco
Global Moderator
Legendary
Offline
Activity: 3794
Merit: 2606
Join the world-leading crypto sportsbook NOW!
|
|
February 08, 2014, 11:36:13 AM |
|
This post made me lol.
First of all, what makes you think this "hacker" reads bitcointalk? And secondly, what makes you think that asking him to return the BTC will do anything?
Well sometimes hackers or thieves have given money back. I guess trying to guilt someone into returning funds is a last desperate attempt as it's probably one of the only things you can actually do, although like you said it's almost futile. 0.4 isn't much, so I'd just chalk it up as a loss and a lesson learned. |
|
|
|
|
thecoinjournal
|
|
February 08, 2014, 11:39:00 AM |
|
I want to play but it says We are currently in maintenance mode. Thank you for your patience. |
|
|
|
|
drippx
|
|
February 08, 2014, 11:54:31 AM |
|
0% chance you get the coins back, thats why bitcoin is good for these type of anonymous things
|
|
|
|
|
|
techguy
|
|
February 08, 2014, 12:32:11 PM |
|
Sorry to hear that your BTC is stolen. Your blockchain reaction game has great potential. I wish you will soon recover the losses from game  |
|
|
|
|
monsterer (OP)
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
February 08, 2014, 01:13:34 PM |
|
We're back up and running now Thanks for the support - the general sentiment is right, it could have been a lot worse and the fault is entirely mine for missing that piece of server-side validation. It's particularly galling because I'm a proponent of letting the server do the validation and having none on the client, especially in the early stages of development because it forces you to fix these type of problems before they happen. Cheers, Paul. |
|
|
|
|
Aswan
Legendary
Offline
Activity: 1734
Merit: 1015
|
|
February 08, 2014, 01:38:12 PM |
|
Nice Marketing. Didn't know the game but I love it  |
|
|
|
|
surfer43
Sr. Member
Offline
Activity: 560
Merit: 250
"Trading Platform of The Future!"
|
|
February 08, 2014, 01:49:56 PM |
|
If I were said "hacker" I would be embarrassed.
.4 btc lulz
~BCX~
I don't understand  |
|
|
|
|
|
Trance
|
|
February 08, 2014, 02:28:57 PM |
|
Lemmeee att emm' Leeemee attt em' !!
lol sorry to hear about your loss, but the odds of you getting the coins back are 0 to none.
|
Some people are so poor ALL they have is money
|
|
|
|
Trance
|
|
February 08, 2014, 02:30:03 PM |
|
At approximately 11:30am - 12:00pm GMT today, a hacker was able to exploit a security hole in my game and withdraw 0.4 BTC, which was the entire hot-wallet contents.
He withdrew to this address: 16pknxjJF8yhL2iBPmXRw4rcoGhFYmGcoy
Transactions:
288734e41ebde40bfb07227006f27ea256e3a51e90b7388b4335d9c84f3f90e6
441c5f163afe515def15e2eed21c9aac8eed9d8ff3d6142c475342cf154d17ee
52d4cec1e6b5c95be2bc10a4afd665c722498eecd6804cf03e12558cd41846a2
5b1f08f26ec1cdbbdfb00ea7191bd27a2356edf18c376ba7270210b2932a6ef5
652c88def365b22ec3c1be34df410557a1e4f9bd68a1df6617c5f30875ad32c6
90f8d413664fa88791e71e385034d97598e409d04927715f802578bbd7ecf3de
be8ec0d0ca2c8891c004d9f5d691bc4c2b69401490623e3b27aab7a15bf1953f
cdd8f318899c96edaa7fb74a23fd84eb565e26b3f2997d6f8e0db53cc4019cb5
d7a4289a513f55c9b1dfb194134b5d49f1b8b001bf86eb821d604166ff99be8a
f1cf5d32866994843097db6f697c9bc5dc72ce4cdebf6d4cdfdcc0230b87eedb
f44a1d769f2aa0bfb990722f0b6856d242c2a46a50cb26690ad208f546327a46
He used the aliases: 1gld,16p,x,y
His attack was to use negative numbers for the BTC fields when creating a new game in blockchain-reaction, although these were checked for client-side, the server failed to do the correct validation.
I feel pretty stupid since that's an obvious attack and I'm usually really careful with this stuff, but it just slipped under the radar. Obviously this is now fixed.
I have covered this loss from my own personal bitcoin wallet, so no users will be affected.
If you are the attacker and you are reading this, please consider returning these stolen coins, I have a suspicion you are a fellow developer / programmer, so please have a heart.
Cheers, Paul.
How do you know its a "HE"  |
Some people are so poor ALL they have is money
|
|
|
surfer43
Sr. Member
Offline
Activity: 560
Merit: 250
"Trading Platform of The Future!"
|
|
February 08, 2014, 02:36:22 PM |
|
At approximately 11:30am - 12:00pm GMT today, a hacker was able to exploit a security hole in my game and withdraw 0.4 BTC, which was the entire hot-wallet contents.
He withdrew to this address: 16pknxjJF8yhL2iBPmXRw4rcoGhFYmGcoy
Transactions:
288734e41ebde40bfb07227006f27ea256e3a51e90b7388b4335d9c84f3f90e6
441c5f163afe515def15e2eed21c9aac8eed9d8ff3d6142c475342cf154d17ee
52d4cec1e6b5c95be2bc10a4afd665c722498eecd6804cf03e12558cd41846a2
5b1f08f26ec1cdbbdfb00ea7191bd27a2356edf18c376ba7270210b2932a6ef5
652c88def365b22ec3c1be34df410557a1e4f9bd68a1df6617c5f30875ad32c6
90f8d413664fa88791e71e385034d97598e409d04927715f802578bbd7ecf3de
be8ec0d0ca2c8891c004d9f5d691bc4c2b69401490623e3b27aab7a15bf1953f
cdd8f318899c96edaa7fb74a23fd84eb565e26b3f2997d6f8e0db53cc4019cb5
d7a4289a513f55c9b1dfb194134b5d49f1b8b001bf86eb821d604166ff99be8a
f1cf5d32866994843097db6f697c9bc5dc72ce4cdebf6d4cdfdcc0230b87eedb
f44a1d769f2aa0bfb990722f0b6856d242c2a46a50cb26690ad208f546327a46
He used the aliases: 1gld,16p,x,y
His attack was to use negative numbers for the BTC fields when creating a new game in blockchain-reaction, although these were checked for client-side, the server failed to do the correct validation.
I feel pretty stupid since that's an obvious attack and I'm usually really careful with this stuff, but it just slipped under the radar. Obviously this is now fixed.
I have covered this loss from my own personal bitcoin wallet, so no users will be affected.
If you are the attacker and you are reading this, please consider returning these stolen coins, I have a suspicion you are a fellow developer / programmer, so please have a heart.
Cheers, Paul.
How do you know its a "HE" How do you know he's an "it" |
|
|
|
|
|
