Author

Topic: [WARNING] Wolf.bet security is bad (Read 233 times)

newbie
Activity: 15
Merit: 0
December 29, 2019, 03:31:00 PM
#9
there is a similar problem on almost every site
encryption met only on bc.game/nanogames.io

this is what the primedice authorization looks like:

[{"operationName":"RequestLoginUserMutation","variables":{"name":"user","password":"password","captcha":"RECAPTCHA_RESPONCE"},"query":"mutation RequestLoginUserMutation($name: String, $email: String, $password: String!, $captcha: String) {\n  requestLoginUser(name: $name, email: $email, password: $password, captcha: $captcha) {\n    loginToken\n    hasTfaEnabled\n    user {\n      id\n      name\n      __typename\n    }\n    __typename\n  }\n}\n"}]
legendary
Activity: 2016
Merit: 1107
December 29, 2019, 03:22:36 PM
#8
you should message their admin , probably will get rewarded if it is a security issue they overlooked
I wonder how on earth you were the first one to discover it
did you manage to hack one of the accounts too? maybe it is not as bad as you are describing it
wolf bet is already a few months old  , should be taking security risks seriously
if your account is not safe there , use 2fa or even consider playing elsewhere until it is fixed
lets see if admin says something about it
legendary
Activity: 1624
Merit: 1007
December 29, 2019, 03:03:54 PM
#7
Since you're not jr. member rank yet so i'll quote your post to show the images you provide to warn those who use this site. You did a good job sharing this vital information that this doesn't have tight security and this site may git hacked if not taken action. Many people who already been using this site might lose their money.
And I just found a way to withdraw BTC, their security is very bad

I would like to say im shocked but security in the crypto gambling space really has been whack since the beginning. This however is bad beyond that lmao
sr. member
Activity: 567
Merit: 270
December 29, 2019, 02:56:35 PM
#6
I have posted this on the wolf.bet ANN thread and just incase you haven't reported it to their support yet, they would see it from their ANN thread and tackle the issue before it actually becomes an issue. You can see my report here- https://bitcointalksearch.org/topic/m.53473402
hero member
Activity: 2268
Merit: 669
Bitcoin Casino Est. 2013
December 29, 2019, 02:54:16 PM
#5
It's unclear from your post but I'm hoping you went directly to their support before posting here. I say this as it doesn't appear to be a malicious step on their part, so warning them to protect their user base first is paramount, followed by posting here to warn users directly.

I have to admit I only get what you did at a surface level, but if you didn't notify Wolf.bet first then you could also be exposing their user base to risk should one of the many shady characters here decide to use your post as a roadmap.
I agree that wolf.bet should be the priority to let them know first before sharing this problem to everyone. As Steamtyme it is posdible that hacking wolf.bet might happen (who knows) to them and many more users will be at risk because of this post you have and shady people use this opportunity.

And I just found a way to withdraw BTC, their security is very bad
Did you contact their support team before posting this info?
legendary
Activity: 1554
Merit: 2037
December 29, 2019, 02:42:16 PM
#4
It's unclear from your post but I'm hoping you went directly to their support before posting here. I say this as it doesn't appear to be a malicious step on their part, so warning them to protect their user base first is paramount, followed by posting here to warn users directly.

I have to admit I only get what you did at a surface level, but if you didn't notify Wolf.bet first then you could also be exposing their user base to risk should one of the many shady characters here decide to use your post as a roadmap.
newbie
Activity: 22
Merit: 0
December 29, 2019, 02:01:30 PM
#3
Since you're not jr. member rank yet so i'll quote your post to show the images you provide to warn those who use this site. You did a good job sharing this vital information that this doesn't have tight security and this site may git hacked if not taken action. Many people who already been using this site might lose their money.
And I just found a way to withdraw BTC, their security is very bad
hero member
Activity: 2268
Merit: 669
Bitcoin Casino Est. 2013
December 29, 2019, 10:32:34 AM
#2
I'm here to warn everyone that WOLF.Bet's security is NOT GOOD.

When logging in the site connects to this url
https://wolf.bet/api/v1/login
it sends this json payload {"login":"User","password":"Pass"}


As you can see, they have no tokens, no password encryption.
You can crack accounts very easy using Openbullet or programs alike.
I made a working account cracker < 3 minutes.

However, their API is private which is somewhat good I suppose and when I tried making my program withdraw I got unauthorized but I am sure if I spent more than 5 minutes I could automatically make it withdraw to my BTC address.

To wolf.bet:
- Add Recaptcha to your site
- Encrypt passwords before they get sent to your server
- use CSRF tokens, etc. (these are quite useless but they help somewhat)
Since you're not jr. member rank yet so i'll quote your post to show the images you provide to warn those who use this site. You did a good job sharing this vital information that this doesn't have tight security and this site may git hacked if not taken action. Many people who already been using this site might lose their money.
newbie
Activity: 22
Merit: 0
December 29, 2019, 10:17:11 AM
#1
FIXED
Jump to: