Author

Topic: Faucet hacked - need brains to help (Read 241 times)

full member
Activity: 953
Merit: 102
★★ freecoyn.com ★★
August 07, 2018, 11:01:28 AM
#9
you need proper pentesting around JSON, code execution, API security, XSS.. Mainly Sanitising user input, someone was highly likely possibly slipped thru a malicious code somewhere, you need to prevent them to execute such codes and you must validate user input - if your issue is relative of course.

Thanks for all this. It's beyond me though! I'm looking into a new script, will test it publicly soon.
newbie
Activity: 14
Merit: 0
August 05, 2018, 04:11:52 PM
#8
you need proper pentesting around JSON, code execution, API security, XSS.. Mainly Sanitising user input, someone was highly likely possibly slipped thru a malicious code somewhere, you need to prevent them to execute such codes and you must validate user input - if your issue is relative of course.
full member
Activity: 630
Merit: 100
August 05, 2018, 02:29:12 PM
#7
Just assume that all user input, get and post data is insecure.
full member
Activity: 953
Merit: 102
★★ freecoyn.com ★★
August 05, 2018, 02:08:40 PM
#6
Thanks everyone for your really helpful comments and suggestions - that's what makes this community great!

I think I used the cooker cutter option because while I'm fascinated with bitcoin and faucets I'm not a coder so I was hoping for something I could use out of the box.

But it's back to the drawing board now. However, I'm going to persevere and hopefully launch a new and improved version soon.  Smiley
hero member
Activity: 1540
Merit: 508
August 05, 2018, 01:31:35 PM
#5
i remember that someone have noticed you about the problems of this script. most free scripts aren't safe enough and you have to custom it, and i think run a faucet on wp site is a bad idea because wp is a favorite object of hackers.
jr. member
Activity: 319
Merit: 2
August 05, 2018, 12:01:30 PM
#4
Make sure that your connection with FaucetHub API is secure and cannot be altered with any parameters in the faucet's URL or values you're using on your website (if you are using username/passwords). Don't rely on GET php parameters, because they can be changed super easily and may break your faucet. POST parameters can be also changed by users, but it is way harder for hackers, and you can set up additional security for POST parameters.

If users drained your faucet really fast, that means:
- they could potentially get your FaucetHub API key (make sure it is not public)
- your faucet doesn't have any timeouts between claiming or they can be easily bypassed
- it doesn't have necessary IP security from proxies (there are 3rd party scripts for that)

Always make sure that your site is 100% safe before you release it.
Check every single thing and play with parameters, try to crack it, or send your friends so they can verify if everything is good.

Rate limits can be also a good thing when you start your fresh faucet, I used it and tracked major issue with my faucet. Basically it's all in FaucetHub settings, you can limit how much Satoshi can be withdrawn from your faucet in a certain range of time.

Good luck with your faucet in the future.
jr. member
Activity: 113
Merit: 1
Unknown
August 05, 2018, 11:50:35 AM
#3
Just to mention it, the ip you wrote is a anonymous proxy.
full member
Activity: 630
Merit: 100
August 05, 2018, 10:57:24 AM
#2
My condolences, it really sucks when stuff like that happens.
Being an amateur coder and all, I’ve been working on security continuously for my faucets. So, since I’m an amateur myself, I can’t offer any “truths”.
But the following should help... stay away from cookie cutter solutions. If you run a custom script, any malicious individuals will have to write a custom hack for your specific faucet.
Sanitize any and all user input, lock down access to script execution and reduce the number of attack surfaces as much as possible.
I have yet to find the magic bullet when it comes to bots and they can can empty a faucet real fast if given an opening.
full member
Activity: 953
Merit: 102
★★ freecoyn.com ★★
August 05, 2018, 05:31:22 AM
#1
Haha, well I quickly found out the hard way about faucet security.

Having been assured by the creator of the first faucet script I used on my WP site that it was completely secure - it clearly wasn't!

Faucet was emptied last night (about 5,000 sats) to this IP: 91.208.99.2

That'll teach me! No re-fill until I figure out what went wrong. Any help would be appreciated.

- http://freecoyn.com/free-bitcoin-faucet/

Thanks Smiley
Jump to: