After playing around with the faucet for a bit, I suggest doing one of the following things:
1) Adding a time limit between claims of the faucet money (at BitVegas we set it to 15 minutes)
2) Raising the amount of money that one gets from the faucet, but only allowing a claim if the user's balance is 0 (satoshiaces.com did this and it worked great to encourage actual gambling rather than abuse)
At the moment, being able to infinitely claim from the faucet can lead to some pretty extreme abuse.
As for the new Captcha: it works better and fits in perfectly with the design of the site. Much less irritating than stuff like ReCaptcha when most of the time it's impossible for you to read what you're meant to type.
Topic: MooCoin beta. 500 invites available. Looking for feedback on this new project. - page 2. (Read 4927 times)
December 22, 2013, 08:26:38 AM
December 21, 2013, 08:44:22 PM
Hi Everyone,
We just added a public account id for everyone. It's doesn't do anything except help us identify your account if you give it to us. It's perfectly ok to share it with us in a public forum like this. No one can access your account with your public Id.
You can get your public Id by clicking the help button, then looking in the lower left of that dialog box. It will always start with PUB.
Make sure you never share your private account Id. That one is found in the URL of your browser and does NOT start with PUB.
Snail2: If you get a chance, can you send us your public Id so we can take a look at the duplication in your account?
Thanks!
The MooCoin Team
We just added a public account id for everyone. It's doesn't do anything except help us identify your account if you give it to us. It's perfectly ok to share it with us in a public forum like this. No one can access your account with your public Id.
You can get your public Id by clicking the help button, then looking in the lower left of that dialog box. It will always start with PUB.
Make sure you never share your private account Id. That one is found in the URL of your browser and does NOT start with PUB.
Snail2: If you get a chance, can you send us your public Id so we can take a look at the duplication in your account?
Thanks!
The MooCoin Team
December 21, 2013, 07:34:51 PM
you could use wallet addresses as account id's and make it so the user can only withdraw to that address.
No wait, bad Idea. someone could log into with another's person wallet and lose on purpose
No wait, bad Idea. someone could log into with another's person wallet and lose on purpose
December 21, 2013, 07:30:05 PM
Looks great, I see only two issues.
1.
Transaction and game history looks a bit messy. I've used the faucet twice, played one game, but I see four faucet usage and two games
21 December 2013 22:22:56 0.00000100 Faucet
21 December 2013 22:23:25 0.00000100 Faucet
21 December 2013 22:24:28 0.00000100 Win
21 December 2013 22:22:56 0.00000100 Faucet
21 December 2013 22:23:25 0.00000100 Faucet
21 December 2013 22:24:28 0.00000100 Win
Same thing in game history
Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won
Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won
2.
In both game and transaction history I see "Showing 0 to 0 of 0 entries". There should be more than 0 entries.
I wish you great success
Keep up the good work
1.
Transaction and game history looks a bit messy. I've used the faucet twice, played one game, but I see four faucet usage and two games
21 December 2013 22:22:56 0.00000100 Faucet
21 December 2013 22:23:25 0.00000100 Faucet
21 December 2013 22:24:28 0.00000100 Win
21 December 2013 22:22:56 0.00000100 Faucet
21 December 2013 22:23:25 0.00000100 Faucet
21 December 2013 22:24:28 0.00000100 Win
Same thing in game history
Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won
Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won
2.
In both game and transaction history I see "Showing 0 to 0 of 0 entries". There should be more than 0 entries.
I wish you great success
Keep up the good workThat's strange that everything is duplicated on your account. Can you let us know which browser you're using? I'm guessing it's a client-side problem. If possible, please email us your account id (your personalized url) to [email protected].
This also makes me realize that we need some way to identify accounts securely without asking folks for their account ID...
Thanks,
The MooCoin Team
December 21, 2013, 05:34:33 PM
Looks great, I see only two issues.
1.
Transaction and game history looks a bit messy. I've used the faucet twice, played one game, but I see four faucet usage and two games
21 December 2013 22:22:56 0.00000100 Faucet
21 December 2013 22:23:25 0.00000100 Faucet
21 December 2013 22:24:28 0.00000100 Win
21 December 2013 22:22:56 0.00000100 Faucet
21 December 2013 22:23:25 0.00000100 Faucet
21 December 2013 22:24:28 0.00000100 Win
Same thing in game history
Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won
Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won
2.
In both game and transaction history I see "Showing 0 to 0 of 0 entries". There should be more than 0 entries.
I wish you great success Keep up the good work
1.
Transaction and game history looks a bit messy. I've used the faucet twice, played one game, but I see four faucet usage and two games
21 December 2013 22:22:56 0.00000100 Faucet
21 December 2013 22:23:25 0.00000100 Faucet
21 December 2013 22:24:28 0.00000100 Win
21 December 2013 22:22:56 0.00000100 Faucet
21 December 2013 22:23:25 0.00000100 Faucet
21 December 2013 22:24:28 0.00000100 Win
Same thing in game history
Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won
Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won
2.
In both game and transaction history I see "Showing 0 to 0 of 0 entries". There should be more than 0 entries.
I wish you great success
Keep up the good work December 21, 2013, 12:04:10 AM
keep up the good work :3
no problem, ethical hacking and security diagnostics is one of my hobbies. I work on web development with a small team and doing this kind of things is also useful for me. I always learn new methods of security breaching and how to patch them which is knowledge I can put into practice for my own work.
no problem, ethical hacking and security diagnostics is one of my hobbies. I work on web development with a small team and doing this kind of things is also useful for me. I always learn new methods of security breaching and how to patch them which is knowledge I can put into practice for my own work.
December 20, 2013, 11:41:26 PM
I just tried cracking it and I can confirm that it is possible, yet very very complicated.
you can easily get the session secret by using AYAH.sessionSecret().value
(you should look into making variables use strict by placing the whole javascript inside a function. that will make variables not accessible from the console. )
anyways, the correct validation is encrypted (which could be decrypted and elaborate a script to generate it) also with a simple scanner I managed to know the ajax calls needed in those games.
For the most part your are very secure. This captcha haves many many levels of security and even a DDOS protection on their websockets server(validated by session).
Still I recommend you to place a server sided cap on which you can no longer ask for btc from the faucet.
As I already mentioned the verification is actually on the client side and then the program sends a hashed string to the websockets server in order to verify the transaction. (if the game is correct)
this can be automated and a skilled hacker could break this system in a couple of days.
The system is already pretty secure, a cap would make it infallible.
aside, are you a human is not as antithetical as the previous one, but it is way more secure so good job on the change.
you can easily get the session secret by using AYAH.sessionSecret().value
(you should look into making variables use strict by placing the whole javascript inside a function. that will make variables not accessible from the console. )
anyways, the correct validation is encrypted (which could be decrypted and elaborate a script to generate it) also with a simple scanner I managed to know the ajax calls needed in those games.
For the most part your are very secure. This captcha haves many many levels of security and even a DDOS protection on their websockets server(validated by session).
Still I recommend you to place a server sided cap on which you can no longer ask for btc from the faucet.
As I already mentioned the verification is actually on the client side and then the program sends a hashed string to the websockets server in order to verify the transaction. (if the game is correct)
this can be automated and a skilled hacker could break this system in a couple of days.
The system is already pretty secure, a cap would make it infallible.
aside, are you a human is not as antithetical as the previous one, but it is way more secure so good job on the change.
Wow. Thank you for looking at it in such depth.
We actually have three levels of security on the server side. We're happy to talk about them, unlike some websites, because we don't believe that keeping your security methods a "secret" is a legitimate way to secure your site.
1) When the client solves the game, it generates a "solution" key. We collect the solution key and send it to our server. Our server then makes a call to the CAPTCHA server to make sure that the solution key is correct for the puzzle that we generated. If so, we know at least that the person or bot correctly solved the captcha. Hopefully it's hard to solve with a bot...
2) We store the solution/session combo and only let it be used once. This prevents replay attacks.
3) We have a hard limit on the amount the faucet will produce in a given amount of time. We also have code in place to limit velocity on a user-basis, but we haven't activated that yet.
We're also going to do more rate limiting, but really really want to stay away from limiting the faucet based on your balance or legitimate solving speed.
Moo.
December 20, 2013, 10:05:56 PM
I just tried cracking it and I can confirm that it is possible, yet very very complicated.
you can easily get the session secret by using AYAH.sessionSecret().value
(you should look into making variables use strict by placing the whole javascript inside a function. that will make variables not accessible from the console. )
anyways, the correct validation is encrypted (which could be decrypted and elaborate a script to generate it) also with a simple scanner I managed to know the ajax calls needed in those games.
For the most part your are very secure. This captcha haves many many levels of security and even a DDOS protection on their websockets server(validated by session).
Still I recommend you to place a server sided cap on which you can no longer ask for btc from the faucet.
As I already mentioned the verification is actually on the client side and then the program sends a hashed string to the websockets server in order to verify the transaction. (if the game is correct)
this can be automated and a skilled hacker could break this system in a couple of days.
The system is already pretty secure, a cap would make it infallible.
aside, are you a human is not as antithetical as the previous one, but it is way more secure so good job on the change.
you can easily get the session secret by using AYAH.sessionSecret().value
(you should look into making variables use strict by placing the whole javascript inside a function. that will make variables not accessible from the console. )
anyways, the correct validation is encrypted (which could be decrypted and elaborate a script to generate it) also with a simple scanner I managed to know the ajax calls needed in those games.
For the most part your are very secure. This captcha haves many many levels of security and even a DDOS protection on their websockets server(validated by session).
Still I recommend you to place a server sided cap on which you can no longer ask for btc from the faucet.
As I already mentioned the verification is actually on the client side and then the program sends a hashed string to the websockets server in order to verify the transaction. (if the game is correct)
this can be automated and a skilled hacker could break this system in a couple of days.
The system is already pretty secure, a cap would make it infallible.
aside, are you a human is not as antithetical as the previous one, but it is way more secure so good job on the change.
December 20, 2013, 09:13:18 PM
- Fixed the captcha exploit. Man it's hard to find a good captcha these days! The effective ones are all really ugly and we don't want you guys dealing with ugly! We implemented Are You A Human. Please try to exploit it. If you do, you can keep the BTC you get from the faucet!
I tried slickbot again and indeed, I can not find a way to explot the previous bug, congratz!! 
Quote
- We left everyone's btc alone...even those people that exploited the faucet bug. Because you earned it and helped us fix it.
2.5 mBTC were deducted from my account, but doesnt matter, I wanted to help you guys 
Quote
- We went through some additional testing on Firefox and Chrome. If you still see artifacts, let us know.
I still have a "mirrored" screen... Bug is still there... (Chrome)edit: I dont have the problem on IE.
December 20, 2013, 09:11:45 PM
Looks good, I'm liking this more than satoshidice already.
December 20, 2013, 08:38:39 PM
Will tetris battle be one of the games on offer? I've been wanting to play that for BTC for soo long...
We're already working on our next game, and while we're doing that, we're solidifying the plugin architecture. That will let other developers write their own game modules for MooCoin! I'm not sure what the next game will be. Maybe when we're ready, we'll make a poll and ask you guys and gals...
Thanks!
December 20, 2013, 08:19:12 PM
Ok! We're back online.
We've made a couple of changes to the site:
- Fixed the captcha exploit. Man it's hard to find a good captcha these days! The effective ones are all really ugly and we don't want you guys dealing with ugly! We implemented Are You A Human. Please try to exploit it. If you do, you can keep the BTC you get from the faucet!
- We left everyone's btc alone...even those people that exploited the faucet bug. Because you earned it and helped us fix it.
- We went through some additional testing on Firefox and Chrome. If you still see artifacts, let us know.
- We added a little bit of mood lighting to the site. Make sure you come back at different times of the day to check it out!
Thanks again, everyone.
The MooCoin Team
[email protected]
We've made a couple of changes to the site:
- Fixed the captcha exploit. Man it's hard to find a good captcha these days! The effective ones are all really ugly and we don't want you guys dealing with ugly! We implemented Are You A Human. Please try to exploit it. If you do, you can keep the BTC you get from the faucet!
- We left everyone's btc alone...even those people that exploited the faucet bug. Because you earned it and helped us fix it.
- We went through some additional testing on Firefox and Chrome. If you still see artifacts, let us know.
- We added a little bit of mood lighting to the site. Make sure you come back at different times of the day to check it out!
Thanks again, everyone.
The MooCoin Team
[email protected]
December 20, 2013, 11:23:39 AM
Will tetris battle be one of the games on offer? I've been wanting to play that for BTC for soo long...
December 20, 2013, 08:52:25 AM
Hey everyone,
We're going to take the site down for about 24 hours to do some upgrades to the servers.
Thank you all for the help over the past few days. We'll be back soon.
When we return, all of your accounts will be exactly as they are right now.
Thanks!
The MooCoin Team
We're going to take the site down for about 24 hours to do some upgrades to the servers.
Thank you all for the help over the past few days. We'll be back soon.
When we return, all of your accounts will be exactly as they are right now.
Thanks!
The MooCoin Team
Alright. Now that the firefox glitch is fixed I'll be able to properly test it when it comes back online.
December 20, 2013, 04:35:52 AM
Yeah just noticed the site down, I was also using a macro guessing one answer every 5 sec. With 4 options 25% odds. 20 sec avg. You can do the rest of the math. As the captcha was ascetically pleasing I don't think it will work long term. Just don't go to over board. I struggle with some crazy ones occasionally. Love the interface now that firefox is up. The cloud always wins, it beat bill gates into retirement.
December 20, 2013, 01:38:15 AM
Hey everyone,
We're going to take the site down for about 24 hours to do some upgrades to the servers.
Thank you all for the help over the past few days. We'll be back soon.
When we return, all of your accounts will be exactly as they are right now.
Thanks!
The MooCoin Team
We're going to take the site down for about 24 hours to do some upgrades to the servers.
Thank you all for the help over the past few days. We'll be back soon.
When we return, all of your accounts will be exactly as they are right now.
Thanks!
The MooCoin Team
December 20, 2013, 01:31:50 AM
Hi All,
The captcha exploit is fixed. I'd love if a couple of you could attack the server again and see if you can find a clever way to drain it of bitcoins!
Thanks for all of the help everyone,
The MooCoin Team
The captcha exploit is fixed. I'd love if a couple of you could attack the server again and see if you can find a clever way to drain it of bitcoins!
Thanks for all of the help everyone,
The MooCoin Team
December 19, 2013, 11:00:37 PM
glad to hear that, some website have capchas so difficult that I have to try a couple of times before getting them correctly. And I'm not a robot D: !
December 19, 2013, 10:28:31 PM
But SweetCaptcha is verty aesthetic and user friendly. I really recommend you to keep it instead of using one of the well known ugly captchas. Implementing fixes for the problems reported in this thread shouldn't be hard at all.
I just tested it and made a bot capable of spamming the faucet with requests.
Kudos on the unconfirmed/confirmed system which slows down bots, yet I still think a server sidded cap is necessary because I made BTC 0.001942 in like 10 minutes which is more than 0.288BTC/day out of a single machine.
This could hurt you a lot.
(I'm not going to withdraw this btc, feel free to pm me and I'll give you the account's key so that you can delete the account)
I just tested it and made a bot capable of spamming the faucet with requests.
Kudos on the unconfirmed/confirmed system which slows down bots, yet I still think a server sidded cap is necessary because I made BTC 0.001942 in like 10 minutes which is more than 0.288BTC/day out of a single machine.
This could hurt you a lot.
(I'm not going to withdraw this btc, feel free to pm me and I'll give you the account's key so that you can delete the account)
We've been looking at Are You A Human as the captcha. We definitely aren't going to use something ugly.
AYAH has some problems loading via AJAX, so we may end up on a different solution. In any case, we prioritize the user experience. We aren't going to have you guys typing twisted words into little text boxes
December 19, 2013, 09:34:59 PM
Actually...
I discovered accidently that when you click multiple times on "submit answer" you receive the multiple of payouts at once.
My brother said that he has a program called slickbot that can auto click a button.
So the system goes like this:
1) Find the correct answer manually
2) start the program ((his default setting was 10000 clicks)
3) refresh the page when it "flips" (black page)
4) receive payout
He tested it and it resulted in payouts of 75 up to 350 uBTC
I tested it also a few times
And he probably told his friends...
The solution is just to impose a maximum of maybe 1 payout in a minute. Problem solved.
(because you sill need to finish the captcha manually. And the "time window" for the 1000 clicks to occur is just a few seconds)
I do not want to be a jerk and want to help your project, so I tell you this
I discovered accidently that when you click multiple times on "submit answer" you receive the multiple of payouts at once.
My brother said that he has a program called slickbot that can auto click a button.
So the system goes like this:
1) Find the correct answer manually
2) start the program ((his default setting was 10000 clicks)
3) refresh the page when it "flips" (black page)
4) receive payout
He tested it and it resulted in payouts of 75 up to 350 uBTC
I tested it also a few times
And he probably told his friends...
The solution is just to impose a maximum of maybe 1 payout in a minute. Problem solved.
(because you sill need to finish the captcha manually. And the "time window" for the 1000 clicks to occur is just a few seconds)
I do not want to be a jerk and want to help your project, so I tell you this
Thanks for letting us know. We're moving away from SweetCaptcha. They just have too many problems for something like a faucet. We'll have a new captcha up later today.
I appreciate you giving the details on what was happening. It helped us understand what was happening.
I just tested it and made a bot capable of spamming the faucet with requests.
Kudos on the unconfirmed/confirmed system which slows down bots, yet I still think a server sidded cap is necessary because I made BTC 0.001942 in like 10 minutes which is more than 0.288BTC/day out of a single machine.
This could hurt you a lot.
(I'm not going to withdraw this btc, feel free to pm me and I'll give you the account's key so that you can delete the account)
Jump to: