What community says on this?

[Boris007]

There is an established gambling platform on bitcointalk. Which has the feature of hiding username of players, I mean if you place bets and don't wanna other people know about it then you can hide your username, stats, loss, profit..etc

There is also a feature of 2fa on that gambling platform.

An initial dig let me know an endpoint via which I can know all the details of all players including the hidden players.
I can know even if you have enabled 2fa or not!



As an example of one of hidden person detail:

In UI it shows like hidden: 

In code smuggled endpoint:

Code:

[
  "new_bet",
  {
    "betAmount": 40,
    "betId": "SWS-31365369647",
    "gameIdentifier": "pragmatic:FruitParty",
    "gameName": "slots",
    "gameNameDisplay": "Fruit Party",
    "id": "4c2b8307-6c16-43ca-9714-7cb6f2796e07",
    "incognito": true,
    "mult": 0.7735000000000001,
    "payoutValue": 30.94,
    "profit": -9.059999999999999,
    "selectedBalanceField": "balance",
    "thirdParty": "softswiss",
    "timestamp": "2020-07-23T01:28:30.002Z",
    "twoFactor": true,
    "user": {
      "id": "2ed78df4-7a20-4130-8b91-6a3c0803d628",
      "name": "Nerva001"
    },
    "userId": "2ed78df4-7a20-4130-8b91-6a3c0803d628",
    "won": true,
    "addedAt": "2020-07-23T01:28:27.802Z"
  }
]

The above player is in incognito mode, but still his data leaks.. It is ok?? I tried to contact the owner and he says that is not a big issue, And as I have hit the misconfigured endpoint few times, these activities might be looged in his splunk logs from where he can find about the misconfigured endpoint without honouring me anything.

What you people in community says, you have been here since a long time and knows about how much privacy matters. Is it ok If I know how much you gamble and lose?

What should be the ideal bounty that I should quote??

Regards,
Boris007

[Coyster]

What you people in community says, you have been here since a long time and knows about how much privacy matters. Is it ok If I know how much you gamble and lose?

If the user on the website is on incognito mode, the site should make it impossible for anyone to get those information, but that being said, it doesn't matter too much, the online casino i use shows all these info, user bets, loss, stakes, high wins/loss etc, you cannot do anything with those information and you also cannot know who the gambler is with them. What's most private and more important is the users password and email used for verification; so just as the owner told you, it's not a big issue.

[cryptomaniac_xxx]

Regardless if the player is on incognito mode or not, what you discovered is a serious flaw of that gambling websites You didn't mentioned the name, but we fully understand that you wanted to protect that gambling website.

It shouldn't be dismiss right away and say to you that this is not serious. You are an expert finding bugs before they've exploited, so I guess the owner should take this seriously and work on you on how to fix this flaw and of course you should get a reward.

[Boris007]

Regardless if the player is on incognito mode or not, what you discovered is a serious flaw of that gambling websites You didn't mentioned the name, but we fully understand that you wanted to protect that gambling website.

It shouldn't be dismiss right away and say to you that this is not serious. You are an expert finding bugs before they've exploited, so I guess the owner should take this seriously and work on you on how to fix this flaw and of course you should get a reward.

Yeah, but they dont believe that this is serious thread. They ask me how can this result in loss or any exploitation??
I did not have answer to that as not much I have played by rolling dice, but I gave them a response than in past there was a gay porn site (Ashley) where users used to remain ananymous and they used to interact or do more gay stuffs. One day the server of Ashley was hacked and all details of users got leaked, the hacker sent each one user with a email that i have all your infos please send xyz amount of bitcoin to ABC address or else I will post your info in public saying you are a gay.
Many user did that payment. the cool thing was that the hacker even told them how to buy bitcoins from localbitcoins.com 

I gave them all explanation and now it has heated up. I know I am greedy at this point but I want to have my part with solid weight.

[TravelMug]

[.. snip .. ]

Maybe you can ask some reputable member and show him the exploit that you discover and maybe it will put a lot of weight and pressure the "established gambling" to perform a check on their end to see that it is a valid exploit on their platform.

[yahoo62278]

The website in question that he is showing is roobet. I recognize the betting bar that he posted a pic of.

This user also tried contacting betnomi and getting a reward on a minor issue. If the issues were huge then of course he should receive some sort of compensation. Sites may even give him a small reward for small bugs, but posting this here to get the community behind you on a small issue is childish.

I kinda feel like this user is trying to find small details on websites and looking to extort them if he isnt paid money. Just my opinion, but this is the feeling that I'm getting.

[TryNinja]

That seems like a small privacy issue (looking at the type of data you posted above).

If that was my website, I would probably fix that. It should be pretty easy since the "incognito" information is also returned.

Code:

if (data.incognito) {
  delete data.user;
  delete data.userId;
  return user;
} else {
  return user;
}

Do you deserve a bounty for this? Well, I personally don't think so. Maybe a small tip, but this doesn't seem like a major vulnerability worth a few hundreds. And I don't think Roobet has a bug bounty, right? They are not obligated to give you anything at all.

off: I remember you also looking for vulnerabilities on OG's website. Did you also try to do that with my website? I saw some logs about a stranger trying to access my admin endpoints.

[Boris007]

That seems like a small privacy issue (looking at the type of data you posted above).

If that was my website, I would probably fix that. It should be pretty easy since the "incognito" information is also returned.

Code:

if (data.incognito) {
  delete data.user;
  delete data.userId;
  return user;
} else {
  return user;
}

Do you deserve a bounty for this? Well, I personally don't think so. Maybe a small tip, but this doesn't seem like a major vulnerability worth a few hundreds. And I don't think Roobet has a bug bounty, right? They are not obligated to give you anything at all.

off: I remember you also looking for vulnerabilities on OG's website. Did you also try to do that with my website? I saw some logs about a stranger trying to access my admin endpoints.

Udpate: the casinon owner paid me long back after knowing the leaking endpoint.
I cannot name the casino.

I really dont know your website so cannot access or try to access it.