Topic: Hack This - Open Invitation (Read 546 times)

Hello. We appreciate your interest. Unfortunately, we have concluded the round of security test hosted at this forum. If we have need for further testing in the future, we will announce it. Thank you.

Hi the link isn't working.    I'm interested. PM me. OKThx Bye.

I don't think you are reading well. You want me to without the permission of the receiver give away details about the transaction? And this is coming from someone with a 'Legendary' status?
This act alone should be sufficient grounds alone for the admins to strip you off of this status!
Under no circumstance is any information going to be divulged. This is a privacy-centric exchange. So, nice try.

You were free to participate like the few people who did. Perhaps, you didn't have the required skills, except for pulling people down, so for you the grapes are sour. If you don't care, you are free to disbelieve me.  Just stop coming back to criticize our operation and get on with your life. I have way too many times politely asked you to move on. Stop acting like a whiny kid.

Which is why you should have produced the txid so we could verify.       

I'm not sure if your negative trust or your attitude will be your failure - but I don't care.

1- Once your read about blockchain, security and privacy you will learn about chain analysis .

2- Once you learn about managing a business, you will learn about respecting those who trust in you. Only then will you succeed.

3- You also need to learn about privacy coins, some of which use ZK-proof, ring signatures and other methods which render the txid to be worthless to dig out information.

Even if the txid was all zeros or a non-unique identifier, still are would never divulge it! To everyone reading this, this is a good test we are going through. This is going to be the exchange to trade at in the future.

Our exchange will always stick to our immutable tenets:

• Information regarding any transaction or trade will never be shared with anyone.
• Your account will never be frozen/blocked.
• You can withdraw at any time.
• You can close your account at any time.

Thank you.

Too bad, you could have easily proven you were not just sending a few pennies (or nothing at all!) to yourself.  

Once you learn the blockchain, you'll understand how a proper transaction cannot be related to a customer or agency.

I really feel pity for you both. On one hand you hint of the helper and me being the same entity and on the other hand you ask for a TXID.. so laughable.. if we both are the same person, then how difficult would it be for me to send some funds to my own self and give you a TXID? Are you a 5 year old still in school?

In any case, we would never divulge any information about our customers or agencies that assist us. Furthermore, it was a privacy coin which was used to send the reward to the helper.


The payment was much more than 15$ - sadly you arent even capable of making that much by trolling people.

You both create nothing relevant, p00p on people's projects and ideas (as clearly visible from your responses to other posts), encourage nobody, cast doubts, poison the well, accuse everyone of being a scammer, misuse your powers and reputation and when something positive has happened like the above, you get grumpy and attack. You either have allegiance or stakes in other exchanges which you want to promote here and demote everyone else's or are really good-for-nothing unfortunate, irrelevant dinosaurs with nothing better to do. Get a life. We starters, new-projects owners are hard working and are progressing. You can keep trolling like losers.


“Jealousy is the tribute mediocrity pays to genius.” – Bishop Fulton J. Sheen

Hackers got tired of taking millions from Fixedfloat, so they turned to a bigger challenge, hacking your blot3d-36601.portmap.host:36601 to get $15

Kids use Facebook & Co too much, so it makes them believe that they are idiots everywhere and that they believe everything that is served to them.

What was the transaction ID?   One newbie paying another is a good way to build a reputation, but not if it's with yourself.

$$ Thank you. Very generous. Received! $$
 

Let me know if you need more security testing done. Good Luck.

As you already mentioned, the findings were not critical, still I appreciate you taking time for meticulously reporting whatever you thought was essential. Let me know if you received the payment.
Good job. Thank you.

Please respond to my messages. I have shared the details.

I've tried a few things. No serious finding but I won't post here. In case someone else is also trying. Please check your DM.

They are welcome to do that. That would be real bad ass. At least we will know that a vulnerability exists. If they can do that they deserve the loot!

Fine, don't be.. move on. I have already received PMs. So your point is disproved.

LOL sure buddy, gang up on me. Ally or an alias of the previous poster?

Apply your own argument, why should I trust that escrow when you are yourself not ready to have faith at the first place. We are an exchange, we do not need escrows.

I agree with you here, but, there can be more than one way to break in. Also, we have mentioned in the OP "End of the test will be announced here in this thread." So everyone will be updated. As soon as the funds are stolen, it will be announced here. If nothing happens, after a few days, the test will still be concluded - probably will invite a separate batch of crackers/hackers elsewhere.

I appreciate you taking time to respond. If you do not agree to the terms, it is fine. I respect your PoV.  I will focus on those who have sent me messages and are already onto it. Thank you.

Have you also thought about the hacker breaking in, stealing the coins and going quiet without showing you how he did it?

Also, without any form of guarantee that they will find coins in there once they break in, there is going to be close to zero motivation that someone will even attempt to hack your site. @examplens' idea is actually good. Leave very little funds in the addresses and then send most of it to an escrow. Whoever finds the funds in some addresses, will receive a percentage of the funds from the escrow service. This will also ensure that the hacker will meet his end of the bargain by reporting to you how he cracked into the service.

People should also be able to track and know if someone has already cracked everything or not so that they may not waste time hacking into a service who accounts have already been drained thus receiving no reward,

I don't see how you can speak for everyone or what is on everyone's minds. You may move on to imagine newer things. Thank you for stopping by.

Tis true, I did imagine that number of imaginary bitcoin you have.   That is my bad.

But until you prove you have x bitcoin, where int(x)>0, no one will take you seriously. 

I clearly mentioned not to report regarding iframes, etc. yet you did. Either you are a troll or did not read my OP.


The objective is to penetrate and steal the coins and then give me a PoC so that the issue/s are fixed.. rather than me depositing coins in escrow. Think about it, if I invite attackers, they break in and find no coins, do you think they will report me how they did it? It will serve me no purpose.  If you do not have faith, it is fine, move on.

Criticism is welcome, but please don't make that your only goal.
Thank you. Happy cracking.

Ok, you don't have 50BTC, but you should provide some proof that there are any funds as a reward for this challenge you are offering. Claiming that you have private keys from some address means nothing.
No one is trolling you here, they are just pointing out the shortcomings in your offer.
It would be even better if you leave certain funds in escrow so that the potential tester ^hacker knows that in case of success, there is a guaranteed reward

You are clearly not reading my response well.. Nothing is wrong with professional testers. It seems, you are neither a professional nor a tester.  I never claimed to have 50 BTC. You are conjuring up this number. If anything, nobody is taking you seriously.  I will now stop feeding the trolls.

Criticism is welcome, but please don't make that your only goal.
Thank you. Happy cracking.

Isn't your goal to prove your code is secure?  What is wrong with professional testers?

Prove you have the 50 BTC or no one will take you seriously.

Pardon me but I do not understand? I ran a test run 2 years ago and participants tested it and were able to withdraw their coins.  Who is a scammer on the previous thread and how do you know that?



This is a new endeavour. If the website had 50 BTC, nobody would invite it to be hacked, would rather get it professionally tested from experts.
Asking for proof of 2.5 millions USD is a fool's errand - think about it. I can provide a screenshot or a BTC address but that does not mean the coins are on the website. I can only prove that the coins exist and that I have the private key, how would that make you believe that you will get access to it after hacking the website?


Haha I appreciate good humour. Indeed - MS Frontpage 2.0 for the win. But this was written using nano.

This is not a cool and good looking website with the latest UX/UI tech implemented by any means.
The website is intentionally basic and without javascript. It will be accessible via an anonymous network layer - an overlay network.. which are usually slower than websites on surface web, so the UI is needs to be light and simple.
The redirection service I am using does not issue SSL certs based for subdomains. Where it will be finally hosted might not need a certificate since it would already be on an encrypted network overlay.



To everyone who has responded:
It is very easy to tear things down and mock people's work, if you don't consider testing this worth the effort, then thank you for stopping by. I have invested lots of years in this project.
I appreciate your time. You may move on.


To anyone about to reply:

Criticism is welcome, but please don't make that your only goal.
Thank you. Happy cracking.

Yes, I also have a no-certificate alert.
If you decide to ignore the warning, there are pages behind it that look like they were designed in the '95.
index page, which contains a frame with an index1 page... It seems that some kids found a very old tutorial, on how to make the first website.

First, you need to prove that there are some coins behind everything. Why would someone spend time proving anything to you, when you have, for example, only 0.001BTC in your wallet?
Proof that at least 50 Bitcoins are there will stimulate anyone to try the hack.

Also, who even considers this serious and worth any effort?

You have support from one of the biggest scammers on the forum.
https://bitcointalksearch.org/topic/i-need-test-audience-for-a-project-5378976

Even visiting your insecure page will probably lead to BTC loss. 

I have now provided the hash and the self signed certificate in the original post for your reference.

Page is not secure. 

Inviting hackerz, crackerz, data hijackerz!!

Come hack our crypto exchange. Yes you read it correctly. After a preliminary testnet test - UI and operational test (in 2022), you all are invited to do a full blown penetration test. This is no longer a testnet exchange - it is on mainnet!! Both BTC and ETH mainnet. It holds a few coins. Finders, keepers! Since there is no official payment for this - the crackers and hackers can hack it and take what they can. If you hack this exchange, the coins it holds is your reward!! If you cannot do that, no problems, report me all major findings - but, no, please do not tell me there is an iframe in use, no CSP or SameSite cookies or that it does not obey OWASP Web Top 10, if you think that is a concern then please exploit it and give a PoC shell or something similar that is critical. This is not a vulnerability assessment request, so webscanner results won't cut it - There are no made up CTF baby flags - the flag is real - real mainnet coins! Interested people are invited to test this and report back if interested - PM me. End of the test will be announced here in this thread.

Thank you.

2022 forum post - https://bitcointalksearch.org/topic/i-need-test-audience-for-a-project-5378976

Link to the exchange - Hack this -  https://blot3d-36601.portmap.host:36601/

---

---

SHA256 of the certificate:

---

Full blot3d-36601-portmap-host.crt certificate: