Pages:
Author

Topic: TESTERS NEEDED (BTC-escrow Bank) - FREE BTC FOR TESTERS - page 2. (Read 6103 times)

vip
Activity: 1316
Merit: 1043
👻
umm actually there is a MySQL database attached. but the result from you accessing the admin page doesnt do anything
type this into google: "unauthorized access"

Love this line of text btw: Modified without permission

https://bitcointalksearch.org/topic/scammer-btc-escrow-bank-owes-me-20-btc-of-promised-pentesting-funds-206835
newbie
Activity: 42
Merit: 0
umm actually there is a MySQL database attached. but the result from you accessing the admin page doesnt do anything
vip
Activity: 1316
Merit: 1043
👻
mmm no thats not hacking, believe me, you cannot acutally create an account that way. give it a try
LOL, http://en.wiktionary.org/wiki/hacking

yes but the damage to the bank is???
Hacking doesn't have to result in damage, I don't hack to damage sites for example.

When you had hooked a mysql DB to it, then I could issue money, see user's details, etc etc etc.
sr. member
Activity: 471
Merit: 256
Interested in testing.
newbie
Activity: 42
Merit: 0
mmm no thats not hacking, believe me, you cannot acutally create an account that way. give it a try
LOL, http://en.wiktionary.org/wiki/hacking

yes but the damage to the bank is???
vip
Activity: 1316
Merit: 1043
👻
mmm no thats not hacking, believe me, you cannot acutally create an account that way. give it a try
LOL, http://en.wiktionary.org/wiki/hacking

You can't "acutally" (is that a mash of an acute angle and actually?) create an account because you haven't hooked a MySQL database to it.

You should probably pay me the 20 BTC you promised before I post in scammer accusations.
newbie
Activity: 42
Merit: 0
mmm no thats not hacking, believe me, you cannot acutally create an account that way. give it a try
vip
Activity: 1316
Merit: 1043
👻




20 BTC like you promised to 1GLadosEkeAsLReqS3yQ51E1R3wVtbJCDF please - everyone can see if you sent the coins or not.
vip
Activity: 1316
Merit: 1043
👻
ACTUALLY, I just hacked your bank.

20 BTC please, see next post for proof.
vip
Activity: 1316
Merit: 1043
👻
There's nothing to hack for btc-escrow.co/login because there are practically no attack vectors. When you've actually finished building something, come back (and get pwnt).

Correction: BTC-escrow Bank was using an off the shelf FOSS banking system or something Roll Eyes
vip
Activity: 1316
Merit: 1043
👻
I HACKED A BANK!!!1111



Learn what XSS is before you go launch your "BTC-escrow Bank"

no you hacked a MySQL databse. get it right.

Go try actually hack the bank by playing with the demo account my friend.

http://btc-escrow.co/login

User - demo
pass - demo

if you can do some damage, then ill pay you 20bitcoins straight off.


What is a databse  Huh Huh Huh
newbie
Activity: 42
Merit: 0
I HACKED A BANK!!!1111

https://i.imgur.com/Gn2nMjv.png

Learn what XSS is before you go launch your "BTC-escrow Bank"

no you hacked a MySQL databse. get it right.

Go try actually hack the bank by playing with the demo account my friend.

http://btc-escrow.co/login

User - demo
pass - demo

if you can do some damage, then ill pay you 20bitcoins straight off.

vip
Activity: 1316
Merit: 1043
👻
TF's checklist for what to do before launching a bank:

1) Don't call yourself a bank
2) Learn to program
3) Learn web security
4) Draft your bitcoin storage plan
5) Discuss the plan with bitcoin experts
6) Code your site
7) Launch with logging of every single activity
8) Hire multiple (at least 3) different pentesters or a respected firm
9) ???
10) You probably didn't even read this far.

7 is important, because that's how I caught a pentester keeping a XSS vuln for themselves.
vip
Activity: 1316
Merit: 1043
👻
I HACKED A BANK!!!1111



Learn what XSS is before you go launch your "BTC-escrow Bank"

Re: free btc for testers: I just pointed out a bunch of horrible security practices as well as an XSS vulnerability.  Addr: 1GLadosEkeAsLReqS3yQ51E1R3wVtbJCDF

Also, delete my account.
newbie
Activity: 42
Merit: 0
[email protected] via sg2nlhg076.shr.prod.sin2.secureserver.net

Godaddy lol

Quote
Hello Freddie. Your account is now pending approval by the website administrator. You will be notified when your account is approved.

You submitted the following:
Name: Freddie May
Email: [email protected]
Username: gladoscc
Password: [PLAINTEXT]

Thanks,
Admin

I thought you honestly couldn't be doing any more things wrong, but this:

Quote
Hello Freddie. Someone has requested that we send you your account username and password.

Username: gladoscc
Password: [PLAINTEXT]

Best Regards,
Administrator

Go read every single fucking word on this page and come back after two years of having built real world applications: https://www.owasp.org/index.php/Category:OWASP_Guide_Project

this is only the beta registration portal. and is no way linked to the core banking system.
The registration page is actually a third party app not designed by us. we just use it for the time being to keep the beta testers seperate from the standard database.  
You are storing passwords in plaintext. I don't care if it is not developed by you, it still interlaces with your database and you are storing passwords in plaintext (showed by the fact that you can retrieve it).

The fact that you are also using shoddy third party apps and a website builder for your homepage means.. you're not competence enough for anything.

Please delete my account by the way.

for my home page? a website builder? infact your quite abit off there my friend.

Infact the home page is a modular website. There is no direct access to any database.
vip
Activity: 1316
Merit: 1043
👻
[email protected] via sg2nlhg076.shr.prod.sin2.secureserver.net

Godaddy lol

Quote
Hello Freddie. Your account is now pending approval by the website administrator. You will be notified when your account is approved.

You submitted the following:
Name: Freddie May
Email: [email protected]
Username: gladoscc
Password: [PLAINTEXT]

Thanks,
Admin

I thought you honestly couldn't be doing any more things wrong, but this:

Quote
Hello Freddie. Someone has requested that we send you your account username and password.

Username: gladoscc
Password: [PLAINTEXT]

Best Regards,
Administrator

Go read every single fucking word on this page and come back after two years of having built real world applications: https://www.owasp.org/index.php/Category:OWASP_Guide_Project

this is only the beta registration portal. and is no way linked to the core banking system.
The registration page is actually a third party app not designed by us. we just use it for the time being to keep the beta testers seperate from the standard database.  
You are storing passwords in plaintext. I don't care if it is not developed by you, it still interlaces with your database and you are storing passwords in plaintext (showed by the fact that you can retrieve it).

The fact that you are also using shoddy third party apps and what looks like a website builder for your homepage means.. you're not competence enough for anything.

Please delete my account by the way.
newbie
Activity: 42
Merit: 0
[email protected] via sg2nlhg076.shr.prod.sin2.secureserver.net

Godaddy lol

Quote
Hello Freddie. Your account is now pending approval by the website administrator. You will be notified when your account is approved.

You submitted the following:
Name: Freddie May
Email: [email protected]
Username: gladoscc
Password: [PLAINTEXT]

Thanks,
Admin

I thought you honestly couldn't be doing any more things wrong, but this:

Quote
Hello Freddie. Someone has requested that we send you your account username and password.

Username: gladoscc
Password: [PLAINTEXT]

Best Regards,
Administrator

Go read every single fucking word on this page and come back after two years of having built real world applications: https://www.owasp.org/index.php/Category:OWASP_Guide_Project

this is only the beta registration portal. and is no way linked to the core banking system.
The registration page is actually a third party app not designed by us. we just use it for the time being to keep the beta testers seperate from the standard database.  
vip
Activity: 1316
Merit: 1043
👻
Not only that but you used what looks like to be a website builder to create your main site which crashes when a page does not exist:

Quote
This page does not exist
Please go back to your accounts page

... missing closing body/html tags, meaning your PHP has crashed. Is this seriously GoDaddy's website builder?
vip
Activity: 1316
Merit: 1043
👻
Quote
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.
Apache Server at btc-escrow.co Port 80


© BTC Escrow Bank, 2008

Your source code also uses tables.. This isn't the Geocities era.
vip
Activity: 1316
Merit: 1043
👻
[email protected] via sg2nlhg076.shr.prod.sin2.secureserver.net

Godaddy lol

Quote
Hello Freddie. Your account is now pending approval by the website administrator. You will be notified when your account is approved.

You submitted the following:
Name: Freddie May
Email: [email protected]
Username: gladoscc
Password: [PLAINTEXT]

Thanks,
Admin

I thought you honestly couldn't be doing any more things wrong, but this:

Quote
Hello Freddie. Someone has requested that we send you your account username and password.

Username: gladoscc
Password: [PLAINTEXT]

Best Regards,
Administrator

Go read every single fucking word on this page and come back after two years of having built real world applications: https://www.owasp.org/index.php/Category:OWASP_Guide_Project
Pages:
Jump to: