The writing was on the wall and we posted about it 3 months ago, and yet, there are still bad-sses who attack us for being responsive to users and running 20 legitimate faucets for over 7 years (we started in 2017 and freebitco.in in 2013).
So let's say it again - the writing WAS ON THE WALL !
https://bitcointalksearch.org/topic/the-downfall-of-freebitcoin-youtube-5487189
Hopefully someone would finally listen. It's not about just fixing a code, it's about getting control of your faucet.
They can't do it in the current structure, it's impossible.
Topic: FreeBitco.in Appears Hacked - Monthly Prize Money Stolen From Multiple Users - page 3. (Read 2596 times)
June 07, 2024, 10:57:37 AM
June 07, 2024, 10:38:40 AM
If the OP of this thread didn't happen to check if the address is one of their deposit (and honestly, why would he?) it might be worth checking it out. If the deposit was indeed made to his own freebico.in wallet this indicate a fuck up of the automatic system they employ, and not fraud/scam/hack.
I was wrong. The deposit address was the attacker address and was not actually an official deposit address linked to the users. The funds are not actually in freebitco.in's hands. It was not a simple/weird bug. The website was hacked either by a third party or an inside job.
June 07, 2024, 10:31:44 AM
I haven't searched deep in this thread, but are the addresses where the BTC were sent somehow one of your deposit addresses? The OP doesn't mention this detail, I think something fucky is going on, but not actually a scam.
It’s pretty obvious that the new address used is from unknown wallet address or else this will not be an issue at all since they will still receive their Bitcoin on their other wallet address.
The address use is from a hacker since I remember some of the victim track it and goes to unknown address that is not related to their withdrawal history. I believe the hacker manage to inject malware to players computer or on the freebitco.in side which never clear since the admin of the casino never answer this issue.
June 07, 2024, 10:25:11 AM
I was wrong. The deposit address was the attacker address and was not actually an official deposit address linked to the users. The website was hacked either by a third party or an inside job.
June 07, 2024, 04:13:42 AM
I don’t understand why FBC doesn’t respond, there is no reaction from them. It's a shame that they don't want to help deceived users
June 06, 2024, 04:05:57 AM
I have knowledge about XSS. If you are using android then kindly make sure your browser is official and safe. And also check if you have some malware on your device.
XSS attack requires users to click on a link to get the script from attacker. Through XSS attack attacker cannot upload scripts to servers. It is like maybe you clicked on malicious link from any source/forum/thread etc. Or your device is compromised. Which is very unlikely as this many users cannot get their devices compromised at same time. Also if devices were compromised then results would be worse.
Also check links you received through email because I am sure more of victims logged in from links in email. Maybe attacker can exploit a way to trigger automatic emails through some way.
These are all attack methods that I have learned and experience so far and most probably all possibilities for an XSS vulnerability to be exploited. Because without social engineering this attack vector is not so useful.
I am talking about XSS vulnerabilities reported on bug bounty platform shared before. If attacker have some server type access then it is worse
XSS attack requires users to click on a link to get the script from attacker. Through XSS attack attacker cannot upload scripts to servers. It is like maybe you clicked on malicious link from any source/forum/thread etc. Or your device is compromised. Which is very unlikely as this many users cannot get their devices compromised at same time. Also if devices were compromised then results would be worse.
Also check links you received through email because I am sure more of victims logged in from links in email. Maybe attacker can exploit a way to trigger automatic emails through some way.
These are all attack methods that I have learned and experience so far and most probably all possibilities for an XSS vulnerability to be exploited. Because without social engineering this attack vector is not so useful.
I am talking about XSS vulnerabilities reported on bug bounty platform shared before. If attacker have some server type access then it is worse
June 06, 2024, 01:37:07 AM
Cross Site Scripting (XSS)
Overview
Reflected XSS Attacks
Stored XSS Attacks
Blind Cross-site Scripting
Source: https://owasp.org/www-community/attacks/xss/
Further reading: https://owasp.org/www-community/Types_of_Cross-Site_Scripting
Overview
Quote
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Quote
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Reflected XSS Attacks
Quote
Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site...
Stored XSS Attacks
Quote
Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.
Blind Cross-site Scripting
Quote
Blind Cross-site Scripting is a form of persistent XSS. It generally occurs when the attacker’s payload saved on the server and reflected back to the victim from the backend application. For example in feedback forms, an attacker can submit the malicious payload using the form, and once the backend user/admin of the application will open the attacker’s submitted form via the backend application, the attacker’s payload will get executed.
Source: https://owasp.org/www-community/attacks/xss/
Further reading: https://owasp.org/www-community/Types_of_Cross-Site_Scripting
June 06, 2024, 12:17:38 AM
I have no extensions on my fbtc device.
You cannot install chrome extensions on the chrome browser on android.
I really do appreciate your input.
Discussion is always healthy and can sometimes provide insight to a difficult problem.
You cannot install chrome extensions on the chrome browser on android.
I really do appreciate your input.
Discussion is always healthy and can sometimes provide insight to a difficult problem.
June 06, 2024, 12:02:45 AM
As far as these vuln. are concerned they are patched already I have check one of un-patched. I think fbc does not update their bugs fixation there.
June 06, 2024, 12:00:47 AM
The only thing we seem to have in common is that our USER IDs were visible on the fbtc site.
For example the daily jackpot leaderboard and the wagering and referral contest leaderboards.
I have no browser extensions, system is updated daily and avast reports no issues.
The attacker claimed he used a known xss vulnerability to steal our funds.
Deposit and withdrawal addresses were manipulated among other things.
Fbtc knew or should have known about unpatched xss security vulnerabilities.
Bugbounty lists some of these unpatched security vulnerabilities:
https://www.openbugbounty.org/reports/domain/freebitco.in/
Here is an example of the injected malicious code used during the second wave of attacks:
https://pastebin.ai/eo0q78pbuj
For example the daily jackpot leaderboard and the wagering and referral contest leaderboards.
I have no browser extensions, system is updated daily and avast reports no issues.
The attacker claimed he used a known xss vulnerability to steal our funds.
Deposit and withdrawal addresses were manipulated among other things.
Fbtc knew or should have known about unpatched xss security vulnerabilities.
Bugbounty lists some of these unpatched security vulnerabilities:
https://www.openbugbounty.org/reports/domain/freebitco.in/
Here is an example of the injected malicious code used during the second wave of attacks:
https://pastebin.ai/eo0q78pbuj
With XSS vuln. attacker cannot insert a script in your browser. So my concern again is that you should look for common extensions. Your ids were targeted because attacker was sure there are funds and did not want to ping normal users with uncertain balances.
June 05, 2024, 11:46:31 PM
I'm still getting near daily email (spams) from them which make no mention of any trouble.
Have none of you clicked "reply" and seen what happens?
Hopefully no one will risk clicking those emails, we may never know what's in there that might lead to the hackers extending their attack to more and more people. That sucks for Freebitcoin is having this kind of problem, it's a good thing that it's not them that's causing the problems and that it's the hackers. They still have some responsibility to it though and maybe improving in their security online and offline is probably their only solution to this one. Have none of you clicked "reply" and seen what happens?
June 05, 2024, 11:42:53 PM
The only thing we seem to have in common is that our USER IDs were visible on the fbtc site.
For example the daily jackpot leaderboard and the wagering and referral contest leaderboards.
I have no browser extensions, system is updated daily and avast reports no issues.
The attacker claimed he used a known xss vulnerability to steal our funds.
Deposit and withdrawal addresses were manipulated among other things.
Fbtc knew or should have known about unpatched xss security vulnerabilities.
Bugbounty lists some of these unpatched security vulnerabilities:
https://www.openbugbounty.org/reports/domain/freebitco.in/
Here is an example of the injected malicious code used during the second wave of attacks:
https://pastebin.ai/eo0q78pbuj
For example the daily jackpot leaderboard and the wagering and referral contest leaderboards.
I have no browser extensions, system is updated daily and avast reports no issues.
The attacker claimed he used a known xss vulnerability to steal our funds.
Deposit and withdrawal addresses were manipulated among other things.
Fbtc knew or should have known about unpatched xss security vulnerabilities.
Bugbounty lists some of these unpatched security vulnerabilities:
https://www.openbugbounty.org/reports/domain/freebitco.in/
Here is an example of the injected malicious code used during the second wave of attacks:
https://pastebin.ai/eo0q78pbuj
June 05, 2024, 10:53:00 PM
As a programmer I suggest all scammed users to check which browser extensions they have in common.
It is easier for extension to put any code inside any website so always use extensions that are neccessary and trusted.
I also want to ask how you guys are making so much money on fbc
It is easier for extension to put any code inside any website so always use extensions that are neccessary and trusted.
I also want to ask how you guys are making so much money on fbc
June 05, 2024, 10:29:05 PM
I'm still getting near daily email (spams) from them which make no mention of any trouble.
Have none of you clicked "reply" and seen what happens?
Have none of you clicked "reply" and seen what happens?
I sent them messages to 2 email addresses( [email protected] [email protected]) and wrote a personal message on this site, and a message was also sent through the fbc website in the FAQ section. There is no feedback from them
June 05, 2024, 09:02:58 PM
I'm still getting near daily email (spams) from them which make no mention of any trouble.
Have none of you clicked "reply" and seen what happens?
Have none of you clicked "reply" and seen what happens?
June 04, 2024, 04:44:10 AM
Has anyone been contacted about the theft? I wrote several emails and personal messages to support, sent them a video of how the address changed during the withdrawal, but never received a response.
June 03, 2024, 01:33:20 PM
No response from support.
No response from TheQuin.
List of reported security vulnerabilities:
https://www.openbugbounty.org/reports/domain/freebitco.in/
May 23, 2024, 06:35:00 AM
Did someone got paid back already?
I still havent got an answer about a missing 21300€ from our accounts.
I still havent got an answer about a missing 21300€ from our accounts.
I didn't get it back. No answer was given. Does anyone have contact information for the admin of the fbc site?
May 23, 2024, 04:34:46 AM
Did someone got paid back already?
I still havent got an answer about a missing 21300€ from our accounts.
I still havent got an answer about a missing 21300€ from our accounts.
May 23, 2024, 02:32:15 AM
Freebitco.in never responded to me and my money was stolen because of Freebitco.in
People have to be clear that if there is any problem there is no one in technical support so everything accumulated can be lost and no one will help us.
People have to be clear that if there is any problem there is no one in technical support so everything accumulated can be lost and no one will help us.
Jump to: