No security issues found so far, however several people have tried to reset our Google Apps password.
This type of hacking is tough.
First, a brand new linux install. No one is going to share an openssh bug for remote access for this type of money.
Let alone any webserver bug for remote access (apache/nginx). So getting in remotely the "old fashioned" way is
nigh impossible. Based on a quick scan I recall only seeing 3 ports being opened and reachable. The rest are firewalled.
Now lets talk about your website's code. It is a very simple design. The amount of pages is very small and that makes
for fewer opportunities compared to a large website with many things going on. I wanted to "buy" some bitcoins but
due to a typo in my first try it seems like it locked me out for some unknown amount of time. That alone makes me
think anyone who wants to try sql injection better have some serious time on their hands because the code will
probably reject the attempts based on some value (IP address, cookie, whatever). So your attempts will just go in
the trash and miss the main parts of the code (guessing here).
I see that you used google for your incoming email. I guess your domain is setup with them or it is forwarded to a
server which blocks port 25 for everyone except google. Well hacking google is probably not a good idea to try ;-)
and one less port to talk to (postfix I imagine). For sending only. I see you mentioned resetting of the password
for google apps. Last I checked social eng of a google support person is needed to make that happen.
See here for the trouble it takes to do such a hack:
http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-appSo honestly.. the only real vector of attack that you are expecting is sql injection in my mind. And if the programmer
spent just a few hours validating user inputted data via code it will be impossible.
Unless of course you desire for the attacker to, well, attack you personally. Perhaps break into your apt/home and steal your
fricking PC. Maybe your company you work at is not as secure and you access your website from work. Perhaps you
have other projects going on that do not deal with bitcoins and are sitting on a server 5 years old. Maybe you keep something
juicy in your car. Etc... But I do not think anyone here wants to commit a felony crime for a few bucks let alone hunt you
down in this manner.
So I guess I am out of the hunt because the last major bug I found was years ago and that was for a local root.
I also think sql injection may be very time consuming to attempt based on my brief poking around last night.
Unless that's part of the service somehow.
for each of the remaining "flags" that you find. 