Re: DaDice.com - Next Generation Social Gambling Dice Experience
When somebody says they were able to "Hack DaDice" and/or penetrate thru Da Dice system/servers = Wrong!
I am not trying to intimidate our dear "exploiters" here but I must admit chats and broadcasts running thru socket service (which is totally independant in its operation, and anyone who has been to Da Dice once is the witness to this that whole system keep working even without those services) is perhaps the only vulnerable area of Da Dice gameplay interface, and why would we mind "almost free" security checks in first place?
I mean every decent website has a "whitehat bug bounty program", so does Da Dice! only if they reported it to support without exploiting it, they deserved a reasonable reward for it nevertheless that is not their agenda! They want to spread fear and disturbance to back up all the FUDs right here.
Unlike all other dice sites, Da Dice is unique and has far more number of features and interfaces within our main gameplay interface and we claim that we are still evolving into something even better.
Anyway, all this happened this time because our socket script didn't sanitize some data (background variables, exploited from console) which was sent along with chat messages or other online/offline commands. Of course it took exploiter a considerable amount of time to write infectious code (2 days is it?) and successfully broadcast it to users. Ofcourse bodgybrothers is our exploiter here who couriously had been asking about "hi!" alert dialog, but this time we had a serious misjudgment and thus we let this happen. Between, we have had been busy with a major update to Da Dice as well which will be announced later today.
If we only notice the time difference between last attack on chat and this one (which I agree is more serious), and all the logs/events we monitor everyday its very clear that some one has been financing our exploiters lately. There are few other people too who found bugs and were paid from our bounty program, I recommend they do the same since there is a possiblity we might pay you better then what they can afford
I am afraid but you were also right. This is a server side configuration and we had this in place until our last crash and then server rebuild during 100m event. Since Da Dice operated on dedicated servers, all these configurations are set globally from top instead of setting them on run-time. We overlooked this setting but it has now been corrected! Thank you for pointing it out, Attack Dog Jerry
I am not trying to intimidate our dear "exploiters" here but I must admit chats and broadcasts running thru socket service (which is totally independant in its operation, and anyone who has been to Da Dice once is the witness to this that whole system keep working even without those services) is perhaps the only vulnerable area of Da Dice gameplay interface, and why would we mind "almost free" security checks in first place?
I mean every decent website has a "whitehat bug bounty program", so does Da Dice! only if they reported it to support without exploiting it, they deserved a reasonable reward for it nevertheless that is not their agenda! They want to spread fear and disturbance to back up all the FUDs right here.
Unlike all other dice sites, Da Dice is unique and has far more number of features and interfaces within our main gameplay interface and we claim that we are still evolving into something even better.
Anyway, all this happened this time because our socket script didn't sanitize some data (background variables, exploited from console) which was sent along with chat messages or other online/offline commands. Of course it took exploiter a considerable amount of time to write infectious code (2 days is it?) and successfully broadcast it to users. Ofcourse bodgybrothers is our exploiter here who couriously had been asking about "hi!" alert dialog, but this time we had a serious misjudgment and thus we let this happen. Between, we have had been busy with a major update to Da Dice as well which will be announced later today.
If we only notice the time difference between last attack on chat and this one (which I agree is more serious), and all the logs/events we monitor everyday its very clear that some one has been financing our exploiters lately. There are few other people too who found bugs and were paid from our bounty program, I recommend they do the same since there is a possiblity we might pay you better then what they can afford
Interestingly the site does not use even basic protections like setting the session cookies to HttpOnly, which would have made it trivial to have harvested and saved all users session ids (as simple as: document.cookies) to save to to for withdrawing funds
Anyone still using this site, has been warned that most 12 year olds code better sites.
Anyone still using this site, has been warned that most 12 year olds code better sites.
I am afraid but you were also right. This is a server side configuration and we had this in place until our last crash and then server rebuild during 100m event. Since Da Dice operated on dedicated servers, all these configurations are set globally from top instead of setting them on run-time. We overlooked this setting but it has now been corrected! Thank you for pointing it out, Attack Dog Jerry