Topic: Don't use Bitcoin.Town extension (Read 615 times)

The utility is to make bitcoin.town's admin "rich".

And that serves the extension? I installed it and I see no utility ¿?

Many thanks for the ajax code.

This is seriously bad.

They can modify all the legit user requests from the forms they fill in @ the faucet server.
They can also store anything ofcourse. Thank all gods that they don't ask for passwords on faucet sites.

Imagine the possibilities of this add-on implemented for other sites, which i shall not name.

 

LS.

EDIT:
Correction:

it said on other sites, it should be for other sites.

It's not encrypted or obfuscated, you can just read the source if you install the extension.

Here's where the magic happens:

When you go to any website, it sends the URL to /ipa/?u= and waits for a response.



One of our members offers a high payout (and seems like a friendly lil guy) so we'll use his faucet to test, here I've encoded my referral link for his site. You see my wallet address highlighted at the end.



Here's the response - you'll notice it passed back "?r=[wallet address from OP]"



So back to that function to see what it does with it

if(ret["css"]==1) evaluates to true and manipulates the page. Substituting in the values from the JSON response, it does this:

document.querySelector("form")["action"] = "?r=1RZJZgoblahblahblah" (line in the middle of the pic, not the highlighted one)



It's quite clever doing the legwork on their own server I guess, you can customise it as you go, plus it hides it a little from anybody who's skimming the code looking for bad stuff. It's shady as all hell though, I don't think google would like it at all.

I really just skimmed the rest of the code, the fact they're passing every URL you access to their server and then doing whatever they feel like to the webpage you're viewing is a serious enough security and privacy concern. If you have it installed, get rid of it.

I see.

You can't indeed publish anything and everything on chrome-store.

It still sounds kind of shady to me.
It doesn't need to be malware, to perform nasty / shady tricks.

The source code will tell us in detail, the developer probably won't 

LS.

I don't think that you can publish what you want on chrome store...so if it's available there then it's not malicious(with malicious i mean that have viruses, malaware and things like that) but it's still bad for a lot of owners of rotators and lists on the web that try to show people good faucets in exchange of referral earnings, since all those earnings go directly to bitcoin.town faucet's admin without any effort.

If it was explained how it works, if you were able to active it or not and if you were able to really get 3k satoshi every 120 minutes with it from their faucet it would be ok imo.

Maybe this is off topic, or completely irrelevent. If so, i am sorry.
Maybe i am missing something here?

But: i hate malicous apps / people / etc.

Why not submit the addon to virustotal.com just to get an impression of what lots anti-virus programs find?
It will pass through 50+ anti-virus programs. It just might give some indication of how legit this is.

If it passed as legit, we should demand the source code for review.
Any legit coder / programmer will have no problems with that?

If we can't get the code for review, than that raises red flags, like zillions.

LS.

You mean leave him feedback here? https://bitcointalk.org/index.php?action=trust;u=545658

You can also rate his chrome app https://chrome.google.com/webstore/detail/bitcointown/clklpdbjkikeoaedajapmnfnndgelgeh

good observation lelouch90, in the thread of this faucet i have write "i don't install the chrome extention because i can't verify if is a virus ".
Is better already add a negative trust for user

Yes, ofc it's fine when you go on lists/rotator and you find new good faucets and you claim from their ref links and help them with some referral earnings.

In this case you were giving free satoshi to a 3rd person that made an extension without any utility(they are not giving 3000 satoshi every 120 minutes if you have it installed because i tried it and it works only once a day).

thanks for inforamtion

Nice job...hopefully people will see one of our advices and remove it.

Well, thanks for informing about it. It is certainly bad not to tell the extension is inserting you as a referal, but personally I would not mind making some other person earn a little money while I earn mine.

You're doing the lord's work lelouch.

I've put a scam alert up on LGC notifying people to uninstall it and change their receiving address if they've been using it.

This is their thread about their faucet https://bitcointalksearch.org/topic/bitcointown-1500sathr-faucet-chrome-plugin-to-earn-while-surfing-1218181 and i'm opening another thread because it has more visibility than a post in their topic.
(if you never used their faucet/extension then just ignore both topics  )

BE CAREFUL AND DON'T INSTALL THE EXTENSION

When you claim from faucets the extension put their ref link in any faucet(or probably just in every faucet that use the common ref link "faucet/?r=.......") and you give them free satoshi also if you used another ref link from another rotator/list/etc

https://faucetbox.com/check/1RJZgoXqTxXs69kQ5xxmgwWsCDmgu3wNH

https://faucetbox.com/check/1QDRZ8SGeuyHbGpBou6LA1mKy9bAuHR4HH

These are 2 addresses(i saw these 2 but probably they have more of them) that will popup when you claim whit the extension installed.

If you already installed it just remove it from chrome and everything will be fine