My Pastes
Public Pastes
Layout Width
Share Pastebin
Guest
Public paste!

Untitled

By: a guest | Dec 2nd, 2007 | Syntax: None | Size: 11.11 KB | Hits: 165 | Expires: Never
Download | Raw | Embed | Report abuse
Copy text to clipboard
  1. NOTE: The following contains instructions that may violate the mintshot TOS, anything you do is your own fault.
  2. This is being posted so that the public can see how badly written mintshot is, which will hopefully kick the developers into fixing it so that those people who enjoy watching ads can get paid for it (I’m not one of them).
  3.  
  4. Mintshot is a poorly coded, insecure and easy to cheat website.
  5. The level of security shown on the site makes me worry for the future of web development.
  6. The security problems detailed in this post, allow users to gain more m$ (the currency on the website) than they should be able to, thereby giving them an unfair advantage over the people who use the site legitimately.
  7.  
  8. Layman’s version: People can cheat on mintshot and get more money than you. This will let them win every auction and get all the prizes!
  9.  
  10. Background
  11.  
  12. You can skip this section if you know what mintshot is.
  13.  
  14. Recently Mark Ellis launched the site mintshot.co.nz
  15. The site allows users to watch ads in exchange for “mintshot$” (m$), these m$ can then be used to bid on auctions for prizes.
  16.  
  17. The ads are worth varying amounts of m$:
  18.  
  19.     * Platinum: 200
  20.     * Gold: 100
  21.     * Silver: 50
  22.  
  23. There are a limited amount of ads on the site for viewing at a time, these are refreshed every ~9 days to allow people to get more m$.
  24.  
  25. There are other ways to increase your m$:
  26.  
  27.     * Invite friends to Mintshot (Processed daily)
  28.     * Link to Mintshot (Processed manually?)
  29.     * Recommend brands / “Play the People” questions (Processed manually?)
  30.     * Play the people (Game) (Processed daily?)
  31.     * Cheat the ads (More on this later :P )
  32.  
  33. “Play the People” (PTP) is a public opinion poll game where you choose a percentage of agree/disagree between 2 opinions, example: “Is breastfeeding babies in public OK? Yes / No” and “bet” how much you think you are right. Then if you get it right (Based on the average of the given opinions?) you are rewarded with some multiple of how much you spent. Some people who have won at PTP.
  34. (I haven’t messed with PTP so I don’t have a further breakdown. I would not be surprised if there is no bounds checking on the value you can bet, but as it is not active at the moment I cannot test).
  35. There is a bit of a description on how scoring in PTP works over here on nzrealitytv.com
  36. The story so far / Notes
  37.  
  38. There was previously a “Mint tick Auction game” where instead of bidding money you would play a game that seemed to be completely controlled by random chance. If you got a higher score than the current leader you would become the new leader and so on. It didn’t take long for people to start abusing this: NZ Herald Link.
  39. I’m not sure how this was done as I didn’t play with it. If you know then drop me an email and I’ll add it here.
  40.  
  41. I’m not the only one out there who has poked at the security of mintshot.
  42.  
  43. mintshot is built on joomla. [Originally the “Unable to connect to DB” page was unskinned]
  44. This means that it is PHP based with a MYSQL backend.
  45.  
  46. It would appear mintshot was created by a team in India. (Source). Hows that outsourcing working for you Mark? Looks like you get what you pay for.
  47. There is bad grammar throughout the site and the html comments. (Not that I’m saying mine is perfect, but theirs should be alot better than it is!)
  48.  
  49. There is a bunch of unused javascript and code comments across the site that the public shouldn’t be able to see.
  50. Example:
  51. /* function onPlay(clip){ alert("hellllo"); } */
  52. Seriously, guys… get rid of the debug code before pushing something live!
  53. It would appear that at one stage users were going to be given discount vouchers for watching ads. (Javascript code still exists to do this)
  54.  
  55. Shouts out to gopi and Teju who’s names appear in the code. :-)
  56. Flaws (The juicy stuff)
  57.  
  58. You are going to need html/forms knowledge to fully understand this section. Javascript knowledge would be good too!
  59.  
  60. The mintshot site is very public with its form values, what does this mean to you?
  61. Well first, this is the process of watching an ad (General case, there are variations of this):
  62.  
  63.    1. User opens the page to view the ad
  64.    2. User clicks play on the video
  65.    3. When the video finishes playing, the flash applet makes the answer box visible and positions it in place of the video
  66.    4. The user chooses an answer (Usually from a <select> list) and submits the form
  67.    5. If the user gets it right they are awarded m$, if not they can just choose a new answer and try again without watching the video again
  68.  
  69. Infinite Money
  70.  
  71. Now, lets see if we can save some time. Personally I don’t feel like actually watching the ads, so lets see if we can skip that. This is easily done as the HTML for the form is always there, it is just hidden.
  72. Bookmarklet to acheive this: (Create a bookmark with this as the url and click it):
  73. javascript:void(document.getElementById('questdiv').style.display='');
  74. Security hole: There is no enforcement of watching the ad. Would the advertisers like this? I don’t think they would!
  75. Potential fix: Don’t put the question html into the page until after the video has been watched, or make the question part of the flash. Reverse engineering flash is slightly more difficult than playing with html. (I’m actually a bit clueless on this one, this is sort of a fundamental flaw in the website which is difficult to fix)
  76.  
  77. Great, that’s a good start, saves me watching those damn ads!
  78. But now I don’t know the answer…. well I could just guess, but lets see if we can be smarter.
  79. If you jump into the code for the page and look at the <input> fields, you’ll find one called “correctanswer1&#8243;, and it contains… the correct answer!
  80. Well, we may as well alert ourself the correct answer…. (you could be smarter here and fill in the answer, I’ll leave that up to the reader)
  81. javascript:alert(document.getElementById('correctanswer1').value);
  82. Security hole: The user is told the correct answer and as such does not need the knowledge that watching the ad provides.
  83. Why the hell does the user get told this in the first place? Seriously this is shoddy coding at its finest.
  84. Fix: Don’t tell the user the correct answer, they don’t need to know it!
  85.  
  86. Bonus points: when you submit this form, the value of correctanswer1 is compared to the answer you give, so if you change its value you can have lots of fun!
  87.  
  88. “What ailment can not be underestimated?”
  89. Correct answer: “Stupidity”
  90. Awesome :-)
  91.  
  92. Great, if we put these together with a bit of smarts, we can come up with a bookmarklet that skips the video, fills in the answer and submits the form all in a single button click…. You can do the leg work on that one :P
  93.  
  94. This only gives us as much money as everyone else who legitimately watches all the ads however, that’s no good!
  95. Hhhmmm… Lets take another look at those form values.
  96. Oh look at that, there is one that specifies the value of the question you are answering:
  97. <input id="type" type="text" value="platinum" name="type"/>
  98. mintshot has been overly trusting of my form values so far, will it stop here?….. of course not!
  99. When submitting any question, you get to specify its value, change this to your choice of “platinum”, “gold” or “silver” to get 200, 100 or 50 m$ respectively.
  100. Security hole: mintshot allows the user to change the value of an ad.
  101. This should never of been an input value… this is another example of shoddy coding.
  102. Fix: Get rid of this form value, it is obvious what the m$ value of watching the ad is based on its id in the database. If you are scared of the tiny extra database load this will cause, then investigate memcached or something similar.
  103.  
  104. Awesome, now I can get more money than everyone else can by watching ads. But this still isn’t infinite money, we’re going to have to go a step further for that!
  105.  
  106. Jump back into those form values, there are a few suspicious ones…
  107. itemid - seems to be the id that corresponds to the provider of the ad you are watching. Changing it changes what shows up in your “My Earnings” list. Invalid ones work but leave a blank entry in the list.
  108. userid - seems to be the userid of the company this ad is for, haven’t played with it.
  109. quesid1 - A unique value that seems to correspond to the question you are answering (Question != ad). Submitting different ones allows you to answer more questions than exist, letting you get lots of m$.
  110.  
  111. Security Hole: There is no (or very very minimal) contraints checking in the mintshot backend, you can answer questions that don’t exist for companies that don’t exist and mintshot will gladly award you m$ for it!
  112. Fix: Put in some constraints checking. Foreign Keys are your friends, and if you are using mysql with MyISAM tables (instead of InnoDB) then you will have to code checks for this, which you should be doing anyway!
  113.  
  114. Alright, so changing the quesid1 will allow us to get as much m$ as we want, so how do we automate this?
  115. Well, you could make a bookmarklet to change it and manually submit a bunch of forms.
  116. Or you could do a packet capture when you answer a question then write an application to automatically re-submit the form with a different quesid1 each time, giving you as much m$ as you want! (This is the path I took, it worked well)
  117. That is enough details on this, I’m not going to share my code to do it as this is a technical overview and not a “HOW TO CHEAT MINTSHOT” guide.
  118. Bidding as someone else
  119.  
  120. This would appear to be fixed now, but I’ll detail it a bit anyway :-)
  121.  
  122. Open up an auction and check out the hidden <input> fields again.
  123. There are a couple of interesting ones:
  124. currentbidder - userid for the current auction leader
  125. currentuser - (This is in there twice wtf!?) - userid for the currently logged in user
  126.  
  127. Previously if you changed the value of the currentuser fields you could place a bid for someone else.
  128. This doesn’t mean this page is secure now, far from it.
  129. Security Hole: The user knows the userid of themself and the bid leader, which they do not need to know. These are used in the javascript to warn the user if they try to outbid themself.
  130. Fix: Have a single form (or javascript) variable specifying whether the user is currently leading bidding.
  131. Proof
  132.  
  133. I put this to practice and won 2 auctions (on the same account) for incredibly ridiculous amounts of m$ (around 20x more than you could legitimately get)
  134. Auction 1
  135. Auction 2
  136.  
  137. But… both of them arrived in my mailbox: Vouchers Pic
  138. Obviously no one at mintshot bothered to check any of the prize winners, even some anonymous blog poster managed to spot these bids. My username was “degar”, but you were close ;-)
  139.  
  140. I then pushed my m$ up to 4,000,000 by “answering” the same ad 20,000 times. Certainly that should of raised some red lights!
  141. (I didn’t spend this and it was removed in the December reset)
  142. Image proof, gmail messed the email up a bit.
  143. What can we learn from this
  144.  
  145.     * Always try break into your own site.
  146.     * Hire competent people.
  147.     * Keep watch of your database for strange occurrences.
  148.  
  149. Question for the mintshot guys (Who I certainly hope read this!)
  150.  
  151. Can I redeem those vouchers for prizes or do you want em back?
  152. I could do with some new clothes and as you can tell from the terrible picture I took of the vouchers, a camera would go down well too :-)
  153. Contact details:
  154.  
  155. danzel@localhost.geek.nz
create new paste | create new version of this paste RAW Paste Data