Hey guys, long story short, I do bug hunt and my main concern is users safety, I found 4 bugs on this "casino", 2 of them allow to see users emails and balances, got paid 130 usd for it after the guy offer me 50$, Now I found an sqli injection point and an account take over, since they don't have login system they put the user id on the localstorage and what ever ID is there is the account you "login". Since they don't want to handle the reports as we agree, I feel obligated to disclose this since users money is not safe at all, before more people put money in it, here goes:
Here is the proof of concept of the account takeover
https://streamable.com/lpop5eHere is the sql injection point
/api/easy-account/get-account-names.php
And to finish, the "users" on the bet list are fake, the jackpot is fake and all this 700 reviews made today are fake:
https://imgur.com/kucmYoWPoorly coded (like if coded by some novice dude trying to rip off money) with fake stuff everywhere, what does this sound to you?
I'm tired of this bastards opening scam sites over and over and over and never happen nothing to them.