So Dadice was Hacked yesterday. Albeit a chat hack, but it turns out (according to what the dev guy said in chat) the hack was not just a unicode or otherwise, it was a direct change to server side variables that store usernames. This means it is like no other chat hack on other dice sites. On other sites it is basically a client side rendering issue - the server was not infiltrated. On DaDice the username was actually changed on the server via a very simple web socket parameter change.
Q. So Dadice was Hacked yesterday?A.
No it was't. but we can be onboard on a point that there was a peculiar and "witty" type of incident.
Q. How come someone was able to change the name in chat/post as other users? doesn't that mean entire site was compromised?A. Please allow me to explain how Da Dice system currently works. The main system where users passwords, bitcoins, profiles, stats are stored is completely secure and runs parallel with other Da Dice systems (i.e. Chat, social features) which means that both run 100% apart from each other.
Which is infact better and more secure! There is a separate database that acts as a bridge between these 2 systems, so when a user is authenticated on main dadice system, a special token is generated for him/her to be able to use social features of the site. After this, when a user utilises one of these social features i.e. Sockets for chat, rightthere our NodeJS/Socket.io crosschecks the token.
it was a direct change to server side variables that store usernames.
This is a false statement. The variable that "buffoon" played with was on client-end (i.e. his browser end).
Q. Da Fix?Yes, this issue has been fixed although it remained 2nd in our priorty, the first priority was as other users have discussed before
latency issue which was causing whole Da Dice to slow down.
However it is not enough to just apply a single patch and consider it fixed. We believe the issue must be throughly investigated, root causes and the exploiters identified. We were able to identify our "buffoons" as @mnbnm, @bluewaffle and @haxer. Their IP address were also blacklisted (I know i know there is no shortage of IPs, vpns or even Da Dice accounts but its the standard protocol to be followed and therefore we suspended their accounts).
We will also be monitoring any further exploiters who attempt to do this time, a quick reenactment:
https://i.imgur.com/B0v78cF.png(I was online last night with our buffoon who desperately kept trying after the fix was implement.)
Why is this significant. The moderators will tell you it was just a hack to the chat system and was not in anyway an issue to the security of the site. To me it is more than that. It is the site's controls over web sessions that are now in question. Why is it possible to change any details of a web session on the server? The server and only the server should be monitoring this and ensuring the username used to log in and the session cannot be changed. In this case, it demonstrates that this site could have some more serious vulnerabilities.
There is no doubt that these issues must be addressed seriously and it was. As I have explained before that the
two systems run parallel to each other, so just for the sake of security, even the session variables are
not shared while both of the systems are fully secure in server end.
The issue was simple:
- Mr. buffoon edits the variable in his browser which carries his username.
- On server side, nodejs authenticated him "as a user of Da Dice" with his token by cross checking it with his user ID.
- Trusting that a user has been authenticated on both places, Mr. buffoon's messages were then relayed to further users.
So just to clearify in between all this, "sessions" were NOWHERE involved and server was NOWHERE compromised.
Change the username in the variable above and then log back in:
You now have someone else's username. No server side checks or anything!
...
The site made it easy with the client telling the server who it was, and the server didn't have any checks of who it actually was.
As explained before, the token was cross checked with ID of user which is carried alongside the token but not the username. And this was the behaviour which has been corrected.
So to summarise it: There was NO serious threat, however additional query to cross check "usernames" along side "user ID" has been added for our "Crooked" fellows.Having said that, suppose we still had NOT fixed this issue even then all that these buffoons and crookeds could do was to broadcast chat messages as other users, nothing else! period!
No longer does the statement "It's just a simple chat hack" make a difference. They have yet to fix it! If it was so simple, why did it take so long!
DenseCrab also complained he lost access to his account and logged in as CenseDrab due to this access issue. And he was also the first to be targeted in chat.
Naturally the poor chap initially thought his account was compromised and in hurry he changed the password which later he couldn't produce himself, he contacted the support and his issue was resolved.
The statement remains same "It's just a simple chat hack", infact "It
was just a simple chat hack" and #2 in our priority list that day. The major issue was the speed and latency which our users were experiencing due to CloudFlare and we were working with them to optimise networking.
As for the lag on the site. It has so many DOM updates it is ridiculous. What this means is the browser is constantly updating elements on the page - even some that do not need to be updated. This in turn causes your browser to use a lot of CPU and memory because it is quite slow at updating the DOM. The other issue is, the socket.io is prefering to use ajax over websockets. Ajax long polling causes the browser to do a lot of work and is not really the way forward when running a site like a gambling site. DaDice should force websocket and only websocket. If you have a 2 year old browser then stiff, upgrade or don't use the site.
This is the totally different issue but I will still address it to make it clear for you and the rest. Yes we are using socket.io and yes the DOM is constantly updated but this is not exclusive to Da Dice. Similar complains have regularly been made on PrimeDice threads and probably other similar sites too. To prevent DOM from overloading we are already trimming the chat and tables however rendering of rolls and counter balloons, chat messages and etc, these all items are rendered on client-end / user's browsers which means it will indeed use CPU and Memory. I believe that on very least, Da Dice should be complimented for its regular efforts, at least we had courtesy to release the Lite version of our existing interface which dramatically reduces CPU useages. (However traffic / bandwidth consumption remains same but its in our todo list). In fact our efforts has always been complemented by our users.
Now regarding the long polling, I don't think if you understand how socket.io really works. Consider checking following links:
http://stackoverflow.com/questions/26608279/does-socket-io-upgrade-transport-to-websocket-from-pollinghttp://www.javaworld.com/article/2358967/html-css-js/socket-io-javascript-framework-ready-for-real-time-apps.html"This new engine we developed is a groundbreaking change in terms of reliability," said Rauch, who works at blogging services provider Automattic. "Instead of attempting a connection with WebSocket, then falling back to something else -- which can result in slow connection times -- we try first what we know will always work, connect immediately, then try to upgrade to WebSocket [after] we test it and know it works."
still unsure?
https://i.imgur.com/bF2MfID.pngEnding Note:Obviously the agenda is to spread panic and slander Da Dice. If you realise you should "steer clear" of this one, you're welcome to do so and same from our official threads and etc... Main thing is that when we told our user in chat that there is nothing to worry about, our loyal users understood the fact that there was indeed nothing serious to be concerned about although whole new level of trolling was unleashed in our chat box. Infact no one has given a real thought to post here at Bitcointalk as well... Da Dice is aiming for #1 position and I personally believe that arena is big enough for all fishes to swim so there is no real need to get super competitive and the fact must be accepted with open heart.
Is dadice hack proof? fool proof?
No! but any other site is not either. We have seen the current #1 dice site facing challenges it self from time to time, every day technology is evolving and new and new means of manipulations are being developed. We have had our fair share of serious threats right upon our start and we are constantly working on these challenges... but then there are these kind of people too:
http://rs2img.memecdn.com/hacker_c_161851.jpgKeep Rollin'
(p.s. apologise for my grammar/spellings thus this post is in my personal capacity)
