This is an interesting explaination. Im not a pro but could you have run ANY code? Or are there restrictions? What did you actually withdraw if not the hot wallet?
If you would have been able to empty the hot wallet then this would be a serious problem. Though to be fair, things like that happened to many exchanges and websites too. The only difference is then if you have a real cold wallet or built something stupid like automatically recharging hot wallets or so.
I know I said that last post was my last, but I need to respond to the question.
Any code could be run. If done in secret you could withdraw from user accounts each day. Many things can be done when you can execute any code on a users machine. If I was really serious about taking money slowly I would have setup a communication between my computer and the client browser. The client malware would send me details of the clients account and how much is available. My communication server would then tell the malware what to do. How to render the page and whether to withdraw. I'd have complete control over that users interface to DaDice. I could place bets on behalf of the user making for a big PR issue with DaDice, withdraw by sending a click command on withdraw button. There is so many possibilities because you can do anything the user can do. The issue with DaDice is, no user has any money and the hot wallet is so small. So it's a waste of time to setup an elaborate draining system. There simply is no money there. When I did this the hot wallet had only 0.008BTC, which is all I got. But the purpose was to prove the dev a liar. The hack was genuinely significant; I could run JS on clients machines from day one and gave them time to rectify before the next attack. It matters not that the chat server is separate to the game server if both are connected via a client browser. His arrogant post shown below is why I didn't report it direct. This line
The variable that "buffoon" played with was on client-end (i.e. his browser end).
is not correct. If it was only my browser, then how did all other browsers and new logged in users see my changes?
And then this
Yes, this issue has been fixed although it remained 2nd in our priorty, the first priority was as other users have discussed before
latency issue which was causing whole Da Dice to slow down.
A serious open door is 2nd priority over excessive browser document updates?
And then this lie:
suppose we still had NOT fixed this issue even then all that these buffoons and crookeds could do was to broadcast chat messages as other users, nothing else! period!
And then the image of the boy who got into facebook because they didn't log out = hacker. That was insulting because that's not what happened here. It also shows a lot of arrogance, which is scary when dealing with money. You must always be thinking someone is doing something you never intended when you have sites that handle money.
Naturally, after seeing that response, I waited for the water to calm and hit it with a wallet drain attack to prove that if they didn't fix it something else would have happened. Sometimes people need to be careful how they approach egos. Mine doesn't take nicely to accusations of being an idiot.
Note: all the answers below turned out to be lies.
Q. So Dadice was Hacked yesterday?A.
No it was't. but we can be onboard on a point that there was a peculiar and "witty" type of incident.
Q. How come someone was able to change the name in chat/post as other users? doesn't that mean entire site was compromised?A. Please allow me to explain how Da Dice system currently works. The main system where users passwords, bitcoins, profiles, stats are stored is completely secure and runs parallel with other Da Dice systems (i.e. Chat, social features) which means that both run 100% apart from each other.
Which is infact better and more secure! There is a separate database that acts as a bridge between these 2 systems, so when a user is authenticated on main dadice system, a special token is generated for him/her to be able to use social features of the site. After this, when a user utilises one of these social features i.e. Sockets for chat, rightthere our NodeJS/Socket.io crosschecks the token.
it was a direct change to server side variables that store usernames.
This is a false statement. The variable that "buffoon" played with was on client-end (i.e. his browser end).
Q. Da Fix?Yes, this issue has been fixed although it remained 2nd in our priorty, the first priority was as other users have discussed before
latency issue which was causing whole Da Dice to slow down.
However it is not enough to just apply a single patch and consider it fixed. We believe the issue must be throughly investigated, root causes and the exploiters identified. We were able to identify our "buffoons" as @mnbnm, @bluewaffle and @haxer. Their IP address were also blacklisted (I know i know there is no shortage of IPs, vpns or even Da Dice accounts but its the standard protocol to be followed and therefore we suspended their accounts).
We will also be monitoring any further exploiters who attempt to do this time, a quick reenactment:
(I was online last night with our buffoon who desperately kept trying after the fix was implement.)
Why is this significant. The moderators will tell you it was just a hack to the chat system and was not in anyway an issue to the security of the site. To me it is more than that. It is the site's controls over web sessions that are now in question. Why is it possible to change any details of a web session on the server? The server and only the server should be monitoring this and ensuring the username used to log in and the session cannot be changed. In this case, it demonstrates that this site could have some more serious vulnerabilities.
There is no doubt that these issues must be addressed seriously and it was. As I have explained before that the
two systems run parallel to each other, so just for the sake of security, even the session variables are
not shared while both of the systems are fully secure in server end.
The issue was simple:
- Mr. buffoon edits the variable in his browser which carries his username.
- On server side, nodejs authenticated him "as a user of Da Dice" with his token by cross checking it with his user ID.
- Trusting that a user has been authenticated on both places, Mr. buffoon's messages were then relayed to further users.
So just to clearify in between all this, "sessions" were NOWHERE involved and server was NOWHERE compromised.
Change the username in the variable above and then log back in:
You now have someone else's username. No server side checks or anything!
...
The site made it easy with the client telling the server who it was, and the server didn't have any checks of who it actually was.
As explained before, the token was cross checked with ID of user which is carried alongside the token but not the username. And this was the behaviour which has been corrected.
So to summarise it: There was NO serious threat, however additional query to cross check "usernames" along side "user ID" has been added for our "Crooked" fellows.Having said that, suppose we still had NOT fixed this issue even then all that these buffoons and crookeds could do was to broadcast chat messages as other users, nothing else! period!
No longer does the statement "It's just a simple chat hack" make a difference. They have yet to fix it! If it was so simple, why did it take so long!
DenseCrab also complained he lost access to his account and logged in as CenseDrab due to this access issue. And he was also the first to be targeted in chat.
Naturally the poor chap initially thought his account was compromised and in hurry he changed the password which later he couldn't produce himself, he contacted the support and his issue was resolved.
The statement remains same "It's just a simple chat hack", infact "It
was just a simple chat hack" and #2 in our priority list that day. The major issue was the speed and latency which our users were experiencing due to CloudFlare and we were working with them to optimise networking.
Ending Note:Obviously the agenda is to spread panic and slander Da Dice. If you realise you should "steer clear" of this one, you're welcome to do so and same from our official threads and etc... Main thing is that when we told our user in chat that there is nothing to worry about, our loyal users understood the fact that there was indeed nothing serious to be concerned about although whole new level of trolling was unleashed in our chat box. Infact no one has given a real thought to post here at Bitcointalk as well... Da Dice is aiming for #1 position and I personally believe that arena is big enough for all fishes to swim so there is no real need to get super competitive and the fact must be accepted with open heart.
Is dadice hack proof? fool proof?
No! but any other site is not either. We have seen the current #1 dice site facing challenges it self from time to time, every day technology is evolving and new and new means of manipulations are being developed. We have had our fair share of serious threats right upon our start and we are constantly working on these challenges... but then there are these kind of people too:
BTW Dev guy. The agenda was to prove you wrong. So stop saying its all the other dice sites paying for this to happen or there is some great dicing collusion conspiracy. It's only between you and I.
