[WARNING] Wolf.bet security is bad

[victorsspy]

FIXED

[1714934885]

1714934885

[1714934885]

1714934885

[1714934885]

1714934885

[1714934885]

1714934885

[nakamura12]

I'm here to warn everyone that WOLF.Bet's security is NOT GOOD.

When logging in the site connects to this url
https://wolf.bet/api/v1/login
it sends this json payload {"login":"User","password":"Pass"}


As you can see, they have no tokens, no password encryption.
You can crack accounts very easy using Openbullet or programs alike.
I made a working account cracker < 3 minutes.

However, their API is private which is somewhat good I suppose and when I tried making my program withdraw I got unauthorized but I am sure if I spent more than 5 minutes I could automatically make it withdraw to my BTC address.

To wolf.bet:
- Add Recaptcha to your site
- Encrypt passwords before they get sent to your server
- use CSRF tokens, etc. (these are quite useless but they help somewhat)

Since you're not jr. member rank yet so i'll quote your post to show the images you provide to warn those who use this site. You did a good job sharing this vital information that this doesn't have tight security and this site may git hacked if not taken action. Many people who already been using this site might lose their money.

[victorsspy]

Since you're not jr. member rank yet so i'll quote your post to show the images you provide to warn those who use this site. You did a good job sharing this vital information that this doesn't have tight security and this site may git hacked if not taken action. Many people who already been using this site might lose their money.

And I just found a way to withdraw BTC, their security is very bad

[Steamtyme]

It's unclear from your post but I'm hoping you went directly to their support before posting here. I say this as it doesn't appear to be a malicious step on their part, so warning them to protect their user base first is paramount, followed by posting here to warn users directly.

I have to admit I only get what you did at a surface level, but if you didn't notify Wolf.bet first then you could also be exposing their user base to risk should one of the many shady characters here decide to use your post as a roadmap.

[nakamura12]

It's unclear from your post but I'm hoping you went directly to their support before posting here. I say this as it doesn't appear to be a malicious step on their part, so warning them to protect their user base first is paramount, followed by posting here to warn users directly.

I have to admit I only get what you did at a surface level, but if you didn't notify Wolf.bet first then you could also be exposing their user base to risk should one of the many shady characters here decide to use your post as a roadmap.

I agree that wolf.bet should be the priority to let them know first before sharing this problem to everyone. As Steamtyme it is posdible that hacking wolf.bet might happen (who knows) to them and many more users will be at risk because of this post you have and shady people use this opportunity.

And I just found a way to withdraw BTC, their security is very bad

Did you contact their support team before posting this info?

[Drai]

I have posted this on the wolf.bet ANN thread and just incase you haven't reported it to their support yet, they would see it from their ANN thread and tackle the issue before it actually becomes an issue. You can see my report here- https://bitcointalk.org/index.php?topic=5167730.msg53473402#msg53473402

[edmundduke]

Since you're not jr. member rank yet so i'll quote your post to show the images you provide to warn those who use this site. You did a good job sharing this vital information that this doesn't have tight security and this site may git hacked if not taken action. Many people who already been using this site might lose their money.

And I just found a way to withdraw BTC, their security is very bad

I would like to say im shocked but security in the crypto gambling space really has been whack since the beginning. This however is bad beyond that lmao

[veleten]

you should message their admin , probably will get rewarded if it is a security issue they overlooked
I wonder how on earth you were the first one to discover it
did you manage to hack one of the accounts too? maybe it is not as bad as you are describing it
wolf bet is already a few months old  , should be taking security risks seriously
if your account is not safe there , use 2fa or even consider playing elsewhere until it is fixed
lets see if admin says something about it

[mk02]

there is a similar problem on almost every site
encryption met only on bc.game/nanogames.io

this is what the primedice authorization looks like:

[{"operationName":"RequestLoginUserMutation","variables":{"name":"user","password":"password","captcha":"RECAPTCHA_RESPONCE"},"query":"mutation RequestLoginUserMutation($name: String, $email: String, $password: String!, $captcha: String) {\n  requestLoginUser(name: $name, email: $email, password: $password, captcha: $captcha) {\n    loginToken\n    hasTfaEnabled\n    user {\n      id\n      name\n      __typename\n    }\n    __typename\n  }\n}\n"}]