Topic: MagicalDice - Need beta testing [Bounty for bugs] - page 2. (Read 2973 times)

Hey, I am liking this website - seems pretty stable. When testing it this morning I only came across 2 bugs which need to be fixed:

1. Max bet limit [FIXED BY KALE]

When betting through the website the max accumulated profit is 5 BTC if you put the wager and profit together. For example, if you try betting over 2.5 BTC on the x2 multiplier you get this error:

https://i.imgur.com/SNOR7mr.png

However when I dug deeper into the code, I noticed this check was being done client sided in both of the roll button event handlers.
So what I did instead was made a PHP script which contacted the server directly to make the bet, where the wager itself was over 5 BTC. This ended up going through successfully:

https://i.imgur.com/GwBTkIj.png



2. Autopilot Bug

When testing out the increment feature on autopilot I noticed another unusual occurrence. I set the start bet to 0.01 BTC and on loss told it to increase by 100%; after a few runs on this setting, I noticed autopilot bet the same amount on win twice after it lost the initial 0.01 bet. (Autopilot also lagged a couple of times, which may of caused this to happen)

https://i.imgur.com/MTSzTxs.png


That's all from me
 

troubleshooting target: betting calculations
issue found: discrepancy between multiplier/odds depending on which one user submits

for example, while entering 49.50 as my odds should yield a multiplier of 2.0, it yields 2.00020, & pays me, as demonstrated here (see most recent two bets):

https://i.imgur.com/2Ifa1fh.png

a minor issue in the wildly-short term, but likely easily-fixable.

ok!

- Lyco / "lyco" on magicaldice now as i apparently forgot "harlequence" password
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

my preliminary model of a malciious person's autokey script is set to claim the fountain's 500 satoshi then bet it at 1% until it wins twice in a row.

this would total 0.04900500 BTC.

it can complete the first bet around 6 times per minute - though i estimate that rate could be near doubled on a dedicated machine - and a malicious person's otherwise-idle laptop(s) -- not a malicious person, but simply their otherwise-idle laptop -- could run it all day, every day, for as long as you guys are online.

with no offense meant whatsoever, i honestly cannot tell if you simply don't understand the severity of this exploit, or if rather you think that the exploit's ingenuity renders it too unlikely to pose a threat, or if you simply don't want to acknowledge my work in order to avoid paying bounty. regardless, i signed on to answer a distress call & take an opportunity to ethically utilize my expertise in the field, and i simply don't do half-ass jobs. you have a very serious exploit that involves an opportunity for a determined person to take money directly from your organization with no consequences, and i'm the one who noticed it, so it's my obligation to do this:


proposed methods of prevention

intended to stop the exploit before it has time to yield results:

method 01: put a time restriction on fountain queries.
detail: the most efficient implementation of this theory starts with a 15 second clock and doubles the countdown timer length every time a claim is made in less than double the current countdown time.
advantages: completely disable the exploit
disadvantages: threaded timer processes could stress resources or even allow for a special type of organized attack - the odds of this are close to negligible, and the consequences would simply be a slowdown in the site's performance or at theoretical worst a bandwidth overload.

method 02: periodically scan for 500 satoshi bets at odds percentages under 05.
detail: every 15 minutes, scan the bet database's appended entries for bets that meet these criteria: a) amount is less than 501 satoshi b) odds are equal to or below 5% - next the results matching criteria a & b count the userid column for repeats. any user appearing in the result list over 50 times (arrived at this figure assuming ~3 to 4 bets per minute) is flagged as using the exploit then dealt with accordingly (account disabled, either permanently or perhaps for 60 minutes in the case that the criteria leave any room for mistake).
advantages: organization is likely to successfully hide from the exploit indefinitely, and save on computer power usage as compared with that of method one
disadvantages: allows users to run the exploit at a slower speed with no consequences.


i would recommend the first method or a combination of the two over the second method by itself. ignoring the exploit is indeed a third option, but i think my obligation ends just before a blitzkrieg attempt at making sure it's understood how dangerous that is.


let me know if there's anything else/anything i can do to help further/help!.

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

Fixed.

This is because of Google linking you to your google account. Honestly you can't do much with that anyway. You can't withdraw those 500 satoshis, and if you can't get more until your balance hits 0, then it's not exactly helping you any more than an annoying full validation captcha would.

Oh wow, this is necessary? Ok:

While aware that a third-party captcha service is being used, the site's design to award 500 satoshi to anyone with a balance of 0 presents a unique risk.

Since the third-party service is in fact very much related to the site, and the exploit cannot happen without the site's design in relation to the captcha service's problem, we are left with two options:

1) Do something to make sure nobody's using this exploit.
2) Tell Lyco that this is an issue "completely not related to this site" and make him write this, then do #1 anyway.

ok!

- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

That is with reCaptcha. That is completely not related to the site. 

non-urgent gui issue: private message modal doesn't disappear after message is sent. if this is intentional, the value of the message textbox should reset to blank after a message is sent (see a few messages up, "..it's HUGE trouble, man can you..." was sent twice && as you can see the text of a sent message remains in the modal in the screengrab after it is sent and appears in chat):

https://i.imgur.com/RW493Yu.png

ok!

- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

troubleshooting target: host filesystem data
issue found: redundant local cookies

upon modification, the cookies user_name and user_password simply duplicate themselves on next visit, surely on order of the PHPSESSID.

https://i.imgur.com/bR8Av9g.png

https://i.imgur.com/SCDrcBU.png



ideally this should be the only client-side cookie necessary (that containing the php session id):


https://i.imgur.com/z0f4xpO.png


i was unable to identify the hash algorithm used to generate the value stored in user_password but it is 40 characters long which leads me to believe it's not a fixed compression. unless the function is an original - as opposed to a publicly-known algorithm or the use of two one-way cryptographic hash functions - i have no doubt that a malicious person would be able to, after pulling the data from a compromised client-side filesystem, use typical brute-force methods to reverse-encrypt-and-match the password.

if done on a large scale, through the use of something like a freely-downloaded "bot for magicaldice.com" piece of sh't or whatever, or through the use of range-control virus/worm infection (targets selected through the likeliness that they are members of magicaldice) then of course this means the unethical a-hole engineer behind the attack would be able to log in as and empty the wallets of any user either a) simple enough to run microsoft windows as an operating system b) stupid enough to run a binary file on their personal computer without access to the source.

while i can't imagine the necessity for either of these cookies, if there is for them in fact a use, then i would recommend renaming both of them to less-obvious targets for a thief, and using a one-way encryption on the value of user_name as well (it is currently simply the unmodified username).

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

Ok waiting for the dev to check it

that comes from the houseedge I am sure or if you mean something else please be more detailed=)

troubleshooting target: fountain (for abuse potential)
exploit found: captcha bypass assuming 0 balance

with any of the three adblock extensions enabled, captcha is checked after simply clicking (no selecting images) so long as balance is 0 - this enables me to use autokey (autohotkey on windows) to continually through automated click-events, claim 500 satoshi and bet it at an absurd multiplier until i essentially steal 55k satoshi by recording a few mouse click events and retiring to the opium den until autokey alerts me that i've succeeded in ripping off your fountain.

https://i.imgur.com/NtI5OnC.png

(difficult to take a screen of something NOT happening, but all i have to do is click the human verification and it accepts as if i had completed a captcha, then allows me to claim)

note that once the balance is over 0 the captcha modal window does appear and does not award additional coin upon completion. it simply allows for an automation scheme if the user bets all 500 satoshi at 1% odds / 99x multiplier.

software tech specs: debian-ish linux running chromium/webkit-based browser using stock adblock plus extension out of chrome app store

ok!

- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail

since today our max win system and our chat pms are not working for some reason, waiting for the dev.

yea its not a big issue we have something for that on v2, thx for your efforts!

There is a bug with the max bet...
The bet takes place when i play with 2 BTC but it isnt working when i use 2.9 or more than that... i dont know why

Well when you bet you can hit the regular dice rolls then fancy rolls then click regular rolls as many times as you can and they all the bets are placed even though its still "shuffling machines"which aint right

what bug you see?just post in here if you had a bug

  i get bug

Are you still having trouble talking in the chat? Seems to work fine for others.

hi... why is it i cannot message in chat now.. but earlier its all fine...