troubleshooting target: fountain (for abuse potential)
exploit found: captcha bypass assuming 0 balance
with any of the three adblock extensions enabled, captcha is checked after simply clicking (no selecting images) so long as balance is 0 - this enables me to use autokey (autohotkey on windows) to continually through automated click-events, claim 500 satoshi and bet it at an absurd multiplier until i essentially steal 55k satoshi by recording a few mouse click events and retiring to the opium den until autokey alerts me that i've succeeded in ripping off your fountain.
http://i.imgur.com/NtI5OnC.png
(difficult to take a screen of something NOT happening, but all i have to do is click the human verification and it accepts as if i had completed a captcha, then allows me to claim)
note that once the balance is over 0 the captcha modal window does appear and does not award additional coin upon completion. it simply allows for an automation scheme if the user bets all 500 satoshi at 1% odds / 99x multiplier.
software tech specs: debian-ish linux running chromium/webkit-based browser using stock adblock plus extension out of chrome app store
ok!
- Lyco / user "harlequence" on magicaldice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail
That is with reCaptcha. That is completely not related to the site.
Oh wow, this is necessary? Ok:
While aware that a third-party captcha service is being used, the site's design to award 500 satoshi to anyone with a balance of 0 presents a unique risk.
Since the third-party service is in fact very much related to the site, and the exploit cannot happen without the site's design in relation to the captcha service's problem, we are left with two options:
1) Do something to make sure nobody's using this exploit.
2) Tell Lyco that this is an issue "completely not related to this site" and make him write this, then do #1 anyway.
ok!
- Lyco / user "harlequence" on magicdice
- Joshua Ryan Nydel - nydel at ma dot sdf dot org for mail