Pages:
Author

Topic: Hack Into BitDice And Get 1BTC! - page 3. (Read 6829 times)

legendary
Activity: 1540
Merit: 1016
December 25, 2016, 07:34:11 AM
Well, even without all the machinisms Ive been able myself to request the forgotten password stuff, I simply clicked on forgotten password.
What I'm saying is: if someone is able to access the actual email and get in, if you can then you are all set.

Thats the point of it and for now he might be the closest one that actually could get this "far" however if he doesnt then atleast he sheds sme light that the page shouldnt be accesable like that. Well we shall see how far he get through in 24 hours as he has stated however Im pretty convinced that it might take more than that
legendary
Activity: 3374
Merit: 2198
I stand with Ukraine.
December 25, 2016, 05:40:50 AM
~

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

~


That sounds intriguing. I'm definitely going to visit this thread 24 hrs later. Although I'm far from being good at coding I hope I'm not wrong about general principles: no matter how good your security is, there's always a way to hack you, it just takes time and skills.
full member
Activity: 172
Merit: 100
December 25, 2016, 04:50:57 AM
Well, even without all the machinisms Ive been able myself to request the forgotten password stuff, I simply clicked on forgotten password.
What I'm saying is: if someone is able to access the actual email and get in, if you can then you are all set.
hero member
Activity: 2996
Merit: 609
December 25, 2016, 03:24:43 AM


Found this big lock page while I was having a poke.

Thats one hell of a padlock!

Might want to remove the following from the source of that svg files

Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)

Gives potential attackers clues Versions numbers ect.

Also visiting this link  https://www.bitdice.me/password/  shows a text box saying

So I attempted this

https://www.bitdice.me/password/email/

I was then presented with the Change password box.. Yet I was not logged in as user.....

"If we have this email in our database, you will receive information on how to reset your password within a minute."

Fuzzing the data between the browser and server I'm sure there could be some way of "editing" the  [email protected] email

Either way. I don't think that message should be showing for a non registered user by visiting that link.

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

Either way.. U need to check the links.. that is not "good" admin having boxes popping up could lead to XSS.

Further to this you should obfuscate the code linking to Sentury.. Smiley   PS check your email [email protected] for the sentruy reset link I managed to send you....

Code:
Recover Account

We have sent an email to the address registered with this account containing further instructions to reset your password.



amazing. You truly got a skills of a hacker. What if there is no 1btc? what if they make this event to generate more traffic. For example they can collect people to play there game for its security, that's why they make this event. Yes, people will first find the security of the site. So that there profits will not be hacked or stolen. Anyways Good Luck on pentesting that site Smiley Wish you luck. Just reply in this thread for your progress. So that we can manage to follow how you hacked there site. Smiley
Finally there some member who made some move regarding on this event which is really great showing some excellent skills on hacking bitdice website. I would love to hear about the opinion of the owner regarding on this matter.Im sure that there is a 1btc bounty on the account and admin wont say a thing if he dont mean it.
hero member
Activity: 2632
Merit: 787
Jack of all trades 💯
December 25, 2016, 01:32:55 AM


Found this big lock page while I was having a poke.

Thats one hell of a padlock!

Might want to remove the following from the source of that svg files

Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)

Gives potential attackers clues Versions numbers ect.

Also visiting this link  https://www.bitdice.me/password/  shows a text box saying

So I attempted this

https://www.bitdice.me/password/email/

I was then presented with the Change password box.. Yet I was not logged in as user.....

"If we have this email in our database, you will receive information on how to reset your password within a minute."

Fuzzing the data between the browser and server I'm sure there could be some way of "editing" the  [email protected] email

Either way. I don't think that message should be showing for a non registered user by visiting that link.

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

Either way.. U need to check the links.. that is not "good" admin having boxes popping up could lead to XSS.

Further to this you should obfuscate the code linking to Sentury.. Smiley   PS check your email [email protected] for the sentruy reset link I managed to send you....

Code:
Recover Account

We have sent an email to the address registered with this account containing further instructions to reset your password.



amazing. You truly got a skills of a hacker. What if there is no 1btc? what if they make this event to generate more traffic. For example they can collect people to play there game for its security, that's why they make this event. Yes, people will first find the security of the site. So that there profits will not be hacked or stolen. Anyways Good Luck on pentesting that site Smiley Wish you luck. Just reply in this thread for your progress. So that we can manage to follow how you hacked there site. Smiley
legendary
Activity: 1540
Merit: 1016
December 24, 2016, 10:21:27 PM

Either way. I don't think that message should be showing for a non registered user by visiting that link.

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

Either way.. U need to check the links.. that is not "good" admin having boxes popping up could lead to XSS.

Further to this you should obfuscate the code linking to Sentury.. Smiley   PS check your email [email protected] for the sentruy reset link I managed to send you....

Code:
Recover Account

We have sent an email to the address registered with this account containing further instructions to reset your password.



Well the reason that they made this is for the user to find the exploit. The higher the bounty the more people will actually try to get it and finally someone made a solid achievement , atleast for now it sheds some light here and if you actually ended up getting the 1btc then they could be able to fix the hole that you made through
newbie
Activity: 14
Merit: 0
December 24, 2016, 07:52:25 PM
https://s27.postimg.org/6l13999f7/Lock.png

Found this big lock page while I was having a poke.

Thats one hell of a padlock!

Might want to remove the following from the source of that svg files

Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)

Gives potential attackers clues Versions numbers ect.

Also visiting this link  https://www.bitdice.me/password/  shows a text box saying

So I attempted this

https://www.bitdice.me/password/email/

I was then presented with the Change password box.. Yet I was not logged in as user.....

"If we have this email in our database, you will receive information on how to reset your password within a minute."

Fuzzing the data between the browser and server I'm sure there could be some way of "editing" the  [email protected] email

Either way. I don't think that message should be showing for a non registered user by visiting that link.

I think you are inviting problems.. Give me 24 hr's I think I can get to that 1btc..

Either way.. U need to check the links.. that is not "good" admin having boxes popping up could lead to XSS.

Further to this you should obfuscate the code linking to Sentury.. Smiley   PS check your email [email protected] for the sentruy reset link I managed to send you....

Code:
Recover Account

We have sent an email to the address registered with this account containing further instructions to reset your password.

hero member
Activity: 994
Merit: 502
December 24, 2016, 07:37:58 PM
Hey guys,

Whole thing was to prove default settings. As I've mentioned it in the first post, I did not set any additional security settings. This is security by default, which each user gets after registration. You can lower it, if you feel comfortable, or increase. It's up to you. But by default you should be as safe as your email provider.

Regarding security problems with email, your account still can be safe even if your email has been compromised. Just set 2FA. You can also set IP address lock, or withdrawal address lock. We provide as many options as you can possibly use.

Regards,
Alex

But if a hacker had hacked the email and he has the password to the account can't he just reset the withdrawal address and the IP address? Or by 2FA you mean other thing than email? I'm sorry if my question was a stupid one, I'm new to this thing.

They also have a 2FA option to use your phone as 2FA with Google Authenticator or similar. This is probably an even more secure method than email as they would have to have access to your phone in order to get the 2FA code.

2FA is more secure way that's why you need to be carefull.
When and if you enable it, you MUST store somewhere your 16-digit code/key.
If you don't and you loose your devise, you are in a black hole... Roll Eyes

Yeah, especially if it's for your e-mail, which as the 2-FA keys for the rest of your account, who would do something like that?

*looks around*

But seriously, always print out/write down your backup keys. ALWAYS!
newbie
Activity: 14
Merit: 0
December 24, 2016, 06:15:12 PM
1.4 million passwords attempted to gain access to your site...

Looks secure to me!

Few issues I did find will be submitted via email for security reasons.

Ps when posting something online saying come hack us.. that in my eyes sends the wrong signals.

You should of done this via bug crowd don't be surprised if you find hackers poking about your server.. seems you don't even use cloudflare to hide the IP.. and with multiple servers and ports open.. expect some people to try other tactics as you boast about "how secure" you are..


I was having the same thought about this, put a target on your site and you can't be to sure whats coming.

One wrong move, One xss vuln, some mis-configured backend DB or service including ssh and you could be regretting posting this and challenging people,

Further to this I would of specified the scope for people to attempt. From what I see you have not said anywhere about people attempting other ways to gain access to the site or specifically that account. I'm sure by now you must be seeing lots of traffic towards all points in the site, You should no doubt be able to see from the panel.

I would reword this to exclude types of hacking against your servers and processes.

I did find one or two issues but as I said these will be disclosed to the site only (nothing serious)
hero member
Activity: 896
Merit: 1000
December 24, 2016, 05:50:07 PM
1.4 million passwords attempted to gain access to your site...

Looks secure to me!

Few issues I did find will be submitted via email for security reasons.

Ps when posting something online saying come hack us.. that in my eyes sends the wrong signals.

You should of done this via bug crowd don't be surprised if you find hackers poking about your server.. seems you don't even use cloudflare to hide the IP.. and with multiple servers and ports open.. expect some people to try other tactics as you boast about "how secure" you are..


I was having the same thought about this, put a target on your site and you can't be to sure whats coming.
newbie
Activity: 14
Merit: 0
December 24, 2016, 05:29:38 PM
1.4 million passwords attempted to gain access to your site...

Looks secure to me!

Few issues I did find will be submitted via email for security reasons.

Ps when posting something online saying come hack us.. that in my eyes sends the wrong signals.

You should of done this via bug crowd don't be surprised if you find hackers poking about your server.. seems you don't even use cloudflare to hide the IP.. and with multiple servers and ports open.. expect some people to try other tactics as you boast about "how secure" you are..
newbie
Activity: 3
Merit: 0
December 24, 2016, 04:33:02 PM
honestly any good person who is involved in security wouldn't waste their time with this for indian tier money lol..
I know a bypass, but there is literally no point, tip it 10+ btc if you want results.

sorry, i don't get out of bed for less then 5 thousand dollars.
legendary
Activity: 1736
Merit: 1029
December 22, 2016, 08:51:38 PM
Hey guys,

Whole thing was to prove default settings. As I've mentioned it in the first post, I did not set any additional security settings. This is security by default, which each user gets after registration. You can lower it, if you feel comfortable, or increase. It's up to you. But by default you should be as safe as your email provider.

Regarding security problems with email, your account still can be safe even if your email has been compromised. Just set 2FA. You can also set IP address lock, or withdrawal address lock. We provide as many options as you can possibly use.

Regards,
Alex

But if a hacker had hacked the email and he has the password to the account can't he just reset the withdrawal address and the IP address? Or by 2FA you mean other thing than email? I'm sorry if my question was a stupid one, I'm new to this thing.

They also have a 2FA option to use your phone as 2FA with Google Authenticator or similar. This is probably an even more secure method than email as they would have to have access to your phone in order to get the 2FA code.

2FA is more secure way that's why you need to be carefull.
When and if you enable it, you MUST store somewhere your 16-digit code/key.
If you don't and you loose your devise, you are in a black hole... Roll Eyes

It's a sad truth far too few people back their 2FA code up. Then what we see is them crying here on BCT that they've lost their 2FA and need help...

Yeah, I had an issue one time with an upgrade on Google Authenticator that wiped all 2FA codes from my device. What a nightmare that was. I since switched to Authy which allows you to backup your 2FA codes. I do recommend that you backup your codes or save your recovery key in case something happens as it can be a pain to regain access to sites.

Yes I had this issue also, especially if you are on an iPhone.  You can backup almost everything, including the app however it will not backup the 2fa recovery codes for you. It was a big pain however there is an even bigger security risk because as long as someone has access to your email, they can easily reset the 2fa. Hence why its never a good idea to store large amounts of money in any online sites or exchanges.

It's really not to good to store large amounts of BTC in exchangers but it's not so easy to wothdraw every time and leave there a specific amount.
For me 2 are the best options : 2FA and safe keeping of the key and/or frequently changing passwords.
Imho these are the best options atm...
Usually I don't remember to store the backup key for the 2FA autheticator, phone got destroyed/lost multiple times and was NOT a plesant experience.  The biggest problem was trying to remember every single site I was actively using 2FA on... Definetly recommend actually keeping the backup codes.
newbie
Activity: 14
Merit: 0
December 22, 2016, 06:59:20 PM
i have seen a similar system in other sites too...
copper member
Activity: 2562
Merit: 2510
Spear the bees
December 22, 2016, 06:29:32 PM
I will answer you directly, as you continue to say that I've removed 1BTC from the account. Just a rhetoric question, do you always think people are lying to you?
I would continue to state that since there is no need to keep the 1 BTC in the account, that you may have removed it.

The reason it is there because I said so and actually credited him 1BTC. I do not care anymore about that 1 BTC as it has been spent on marketing. So unless you want to say I'm lying, I'm asking you to stop spreading misleading comments.

You may assume they are misleading and you can consider me as someone who is senselessly spreading FUD -- though by stating that no one would know the difference if you removed it or not simply attests to the fact that your security would likely be sufficient to hold off anybody outside of staff.

Regarding general security on BitDice. As Steven already replied, it's more a marketing event, we show users that they are safe EVEN when they do not care about it. And no, email isn't a single point of failure as users can set actual 2FA, IP Lock, and Address Lock. You can not remove nor sign in without turning off 2FA or IP lock even if you have access to the email.

I understand this, acknowledge the fact that this is for marketing, and have previously stated this:

And people would find out the email how exactly? Keep in mind that both email authentication and 2FA are possibilities for security reinforcement on the site - email is just on by default. And hey, if the email password is the same... then that's the user's fault.

and it's fine! I'm glad that you have email authentication (for foreign IP's, I assume) enabled by default. That shows good service in the case where your consumers care about convenience but you are still willing to implement some security to protect them. (** and also allows you to defend more easily against "hacked account" claims)



All I was proposing was the fact that you would have been able to do this marketing for free. I'm not saying your site isn't reputable -- just that this is simply a PR thing and could have just as easily been on an account with a balance of 0. Do you agree?

no hard feelings, not trying to make enemies here
full member
Activity: 157
Merit: 100
Need a Website or A Web App? Let me know!
December 22, 2016, 06:08:43 PM
It was just to show off a simple feature and getting more Unique visitors and page views.
Nice.
hero member
Activity: 2744
Merit: 541
Campaign Management?"Hhampuz" is the Man
December 22, 2016, 12:26:48 PM
while reading the title of the thread I though it was really all about the hack or trick to get 1btc by playng in bitdice but when I opened this thread it was like an epic fail for me Grin but still it's really great that you proved to your players that your platform is highly secured, safe and invulnerable for the hackers . keep up the good work and more power to your site .
hero member
Activity: 776
Merit: 522
December 22, 2016, 11:05:08 AM
Yes it only seems they have email authentication system like few sites and specially blockchain and yobit have right now. However that simple process can add great security feature to any platform.

The security should be a given. At the very least there should be email authentication.

But there is also no point to remove it from that account, by keeping that 1 btc in that account and giving username password combo they are trying to attract more users to play in their platform which i have never seen done by any other gambling platform before.

Are you stupid? Who would even know the difference? This is just to advertise their security. Keeping a bitcoin in the account is completely pointless. Though, even if they did keep the bitcoin in there they could just simply block all withdrawal/tip requests from the account.



Yeah, I suppose its not really a "promo" per se and is designed to show off the security features of the site. However, the 1 BTC reward acts as a bounty if someone did manage to get in the account. Nobody would know if they removed it unless someone managed to get into the account. While unlikely, it is possible someone manages to find a bug or something. There is really no reason for them to prematurely remove the 1 BTC either. I'm sure after a certain length of time has passed, they will publicly state they are removing it if no one was successful in accessing it.

And you're rewarding someone that exploits security flaws? Roll Eyes
The only real reason you might want to keep funds in there is in case there /are/ flaws - someone who exploited them would probably withdraw the bitcoins and then you can close and investigate the site.

... but why go through the trouble of "purchasing" insurance when in reality you can just remove the 'reward' and monitor the account activity (with IP connections)? And it's also more likely that if someone found a security vulnerability, they would go after whales instead of a measly 1 BTC.



Even if they did remove it, all you need to do is to show the screenshot of yourself manage to get into the account and they will still credit your account with 1 btc given that they havent end this event yet however pretty sure that they wont end it , just showcassing this actually give the site some credibility

Why would they bother crediting someone?

... and in the case of screenshots as proof, I'll leave it at this: Photoshop has existed for a very long time.



Wtf. So you have 2FA? That's your big gimmick as to why I should gamble with you? This is poor at best. A lot of people use the same passwords everywhere even h they know they shouldn't, so this isn't saying you have good security, it's just that you have 2FA. It's good, but if the email password is the same it's useless.

And people would find out the email how exactly? Keep in mind that both email authentication and 2FA are possibilities for security reinforcement on the site - email is just on by default. And hey, if the email password is the same... then that's the user's fault.

I will answer you directly, as you continue to say that I've removed 1BTC from the account. Just a rhetoric question, do you always think people are lying to you?

User hack_me has 1 BTC on a balance, I did not remove it, nor I will remove it. There are no locks on withdrawal or tips, or rain. Only DEFAULT settings for each and every other users on our website. If by anyway, you will be able to get in, you will be able to withdraw it instantly. The reason it is there because I said so and actually credited him 1BTC. I do not care anymore about that 1 BTC as it has been spent on marketing. So unless you want to say I'm lying, I'm asking you to stop spreading misleading comments.

Regarding general security on BitDice. As Steven already replied, it's more a marketing event, we show users that they are safe EVEN when they do not care about it. And no, email isn't a single point of failure as users can set actual 2FA, IP Lock, and Address Lock. You can not remove nor sign in without turning off 2FA or IP lock even if you have access to the email.

Regards,
Alex
legendary
Activity: 3094
Merit: 1127
December 22, 2016, 05:24:07 AM
Wtf. So you have 2FA? That's your big gimmick as to why I should gamble with you? This is poor at best. A lot of people use the same passwords everywhere even h they know they shouldn't, so this isn't saying you have good security, it's just that you have 2FA. It's good, but if the email password is the same it's useless.

The account was made by default security settings and it was set up to show the basic security. To show that even if you do not want to set up max security you can still feel secure.

If someone wants to increase their security they can do so by: Adding mobile 2FA and Whitelist their IP(Meaning the user can log into the account ONLY with the whitelisted IP.
These additional features make it much harder for anyone to try hack into an account.
Having 2fa will surely break the head and the hopes of a hacker when he tend to bruteforce a certain account and we all know that setting 2fa would increase the security of the account but in the account of admin have been exposed it dont have 2fa as he mentioned but i think it would be still hard.

Until now,im sure that no one still could able to get the 1 btc bounty inside of the account given.
member
Activity: 70
Merit: 10
December 22, 2016, 01:42:37 AM
Wtf. So you have 2FA? That's your big gimmick as to why I should gamble with you? This is poor at best. A lot of people use the same passwords everywhere even h they know they shouldn't, so this isn't saying you have good security, it's just that you have 2FA. It's good, but if the email password is the same it's useless.

The account was made by default security settings and it was set up to show the basic security. To show that even if you do not want to set up max security you can still feel secure.

If someone wants to increase their security they can do so by: Adding mobile 2FA and Whitelist their IP(Meaning the user can log into the account ONLY with the whitelisted IP.
These additional features make it much harder for anyone to try hack into an account.
Pages:
Jump to: