NOTE: The following contains instructions that may violate the mintshot TOS, anything you do is your own fault.
This is being posted so that the public can see how badly written mintshot is, which will hopefully kick the developers into fixing it so that those people who enjoy watching ads can get paid for it (I’m not one of them).
Mintshot is a poorly coded, insecure and easy to cheat website.
The level of security shown on the site makes me worry for the future of web development.
The security problems detailed in this post, allow users to gain more m$ (the currency on the website) than they should be able to, thereby giving them an unfair advantage over the people who use the site legitimately.
Layman’s version: People can cheat on mintshot and get more money than you. This will let them win every auction and get all the prizes!
[Edit 3rd Dec] Removed at web hosts request.
Google Cache and pastebin have mirrors for now.
[Edit 4th Dec] Don’t send me stupid mail asking me how to hack, or I’ll post it on here like this:
From CS / Dec 3, 2007 2:25 AM
like the blog!! wanna teach me how to do this? i need new cloths too! and am not good enough to win! lol
hook a homie uP!
From CS / Dec 3, 2007 10:37 PM
hey man i know your probably going to shoot me down here!
but is there anyway you could show me how to write that bookmarklet thing! i just completed my first semester at uni and i know how to write in C.. but am yet to get into java script! any help would be nice! i know how to alter the info with a program in firefox but it takes heaps of time! so any help would be great! i dont want to rip the site off! i just wanna have a chance to win some SKINS!!!! lol please help it would be greatly appreciated! and i definatly wouldnt go crazy with it!
I should of just continued ignoring him at this point, oh well….
From Danzel / Dec 4, 2007 8:24 AM
Fuck off.
From CS / Dec 4, 2007 10:32 AM
hahahaha jesus! whats your problem? you left your e-mail on the site like you wanted to be contacted! jesus!
From CS / Dec 4, 2007 4:11 PM
common man help me out! dmanit! lol
From CS / Dec 4, 2007 6:51 PM
hey homo! looks like they have patched the exploit anyway! FUCK! all cause dick heads like you took it to far! if people had of been civil about it it woulda been sweet!
Yes, dick heads like me who informed them of the security hole.
I’m certainly a huge dickhead!
Sheesh a geek that can’t take a screen shot, that’s scary ROFL!!!
Great explanation of the faults in lay terms. Miss Prozac understood most of it, although she doesn’t know how to get into the forums. Can view the source code and see what you’re talking about but not how to input my own values. Perhaps you would explain that – not so people can cheat but just so they know how it’s done.
We hear a lot Ironic, huh!
There is a plugin for the firefox web browser called “firebug”, it is the ultimate tool for debugging websites (I use it every day).
It can also be used to tinker with things like input values on any site you view.
Ahhhh I’ve been meaning to get that, but I haven’t downloaded it yet. I was planning to use it for a new blog I’m setting up so I can make changes to the code and view them and test them without messing up the original code etc.
Rushes off to get firebug…
Ugh what happened to my first comment LOL? Somehow a bit got missed out of the middle. Hmmmm think it went something like, we’ve heard from a lot of people that the early winners (which included some “cheats”) got their vouchers but now things are on hold.
I had also noticed the issues around the submit answer code. I submitted php code to exploit this to the mintsht guys about 9 days ago and have had no reponse nor has it been fixed.
The last form submit only needs the following fields:
quesid1 => any number you haven't used before
total => 1
option => com_template
task => submitanswer
type => platinum
The user id is taken from the session. If you remove the advertiser details from the form post, then the advertiser won’t have to pay their commision or what ever on it. Also without the advertiser details in there the submission doesn’t apper in the ‘My Earnings’ section of the site. So I currently have m$1000,000 with nothing listed in My Earnings for this month – I suspect a JOIN instead of LEFT JOIN in the code there 😉
@Danzel – another awesome tool is Charles, it’s a simple to use proxy which you can use with IE or FF. Allows you to edit the values in a form submission and re-run it. Great for testing form handlers like this.
So I just checked the fake gmail account that I use for my mintshot account and found this:
“Hi, your account has been picked up in a security audit and we have had to close your account. Please contact us if you have any concerns.
Kind regards,
The MIntshot Team”
I guess they’re starting to get things sorted but from the wrong end. Ideally I shouldn’t have been able to do anything in the first place. Oh well – it’s a start.
Oh dear – would you like a medal for proving that you can mess around with form variables? I’m afraid all you’ve done is proven that you are nothing more than a common criminal hacker by breaking the law, specifically Section 250 of the amended Crimes Act. Ethical consultants such as myself really hope that you are brought to task for trying to be a smartass.
You deliberately deprived potentially legitimate users of prizes and vouchers – not cool.
Calling it criminal Pp is a stretch, the users of the website are authorized to submit answers to questions.
It is is entirely the fault of the sites coders for leaving such a bug in the software. I would blame this entirely on the founders decision to outsource, one of the fundamental rules of startups is don’t outsource.
“Trusting people you never met to build the very foundation of your company does not make sense.” http://blog.adaptiveblue.com/?p=765
Im not defending danzel though, he should have notified & given mintshot a few weeks to fix the bugs as is standard practice before going public. But then im indifferent to the whole matter as i emailed them when the site launched about the flaws and they didn’t reply so this may give them the motivation to get their act together, I don’t hold my breath though.
@nz.mike9875 – nice breakdown 🙂
@Pp – Have a cry elsewhere kthx.
You want me to be arrested for doing your job for free? lol! (Yes I understand that I wasn’t given permission to poke around, blah blah blah. I still find it funny)
I think it is best that someone find the holes and publicly acknowledge it so that they can be fixed rather than to have someone silently do it and as you say “deprive potentially legitimate users of prizes and vouchers”.
@Ac – “It is is entirely the fault of the sites coders for leaving such a bug in the software.”
I fully agree.
@Pp – “You deliberately deprived potentially legitimate users of prizes and vouchers” There were legitimate users? Not in any of the auctions I saw :\
Hi, Nick from Mintshot here.
Thanks for bring this security issue to our attention. We certainly don’t like security flaws being made public but the best way we are going to harden the solution is by listening to members and dealing with these issues quickly.
We are currently very focused on making mintshot s fair, fun and rewarding place to hang out.
Regards
Nick
Wow finally. 🙂
No one likes public security disclosures against their product. But as Ac says above, you have been informed about this and it still isn’t fixed. The only way I can motivate you to fix it is to make it publicly known.
Enjoy.
Seriously, mintshot got all they deserved. I can’t stand it when sites have had 10 times more spent on the marketing budget then the coding budget. There have been alot better sites that have bitten the dust because they couldn’t get celebrity endorsements or pyrotechnics on Rangitoto.
@Pp: The only crime here was going live with such goddamn shoddy code. If it wasn’t an internal hack job in creating the site, an agency would be getting seriously roasted right now!
If I could push a parking meter button and it spat money out at me, I’d push that button a few times!
‘rinkals’ been busy, at least not giving away the correct answer. I love how they pointed that out in the live version as well. Looks like the correct answer is hidden in a php file. Now, to get at that… ^^
hmm they really still have a long way to go!
Hey that’s great you heard from Nick. Funny, he hasn’t visited our site to thank us for pointing out all the communication errors LOL. Or maybe they sneak in and out of all the blogs and forums and pick up all the clues, but all they have to do is read their emails. Lots of people have written to them about the poor coding, implementation and testing!
Well they’ve fixed the bug in the submitanswer code. You can no longer fake the answer as the correct answer is now pulled from the database.
Changes to the type are now ignored (no boosting a gold to platinum for more m$)
Invalid question id’s are ignored.
Well done – Amazing what happens when some Kiwi coders get involved?
– Mike
Thanks for the update Mike
So, is it still possible to cheat in other ways or does it look like all the loopholes have been closed?
can you add smilies support to afkim danzel? i can supply you with smilies.
and is it possible to integrate the links2 browser somehow?
btw i loved the emails from CS. especially your simple response; fock off.
can you also teach me to hack:D ? just a joke, im already fair in it:p
I’m not going to add smilies support, it would require too much changes in the current framework.
Same with links2.
Post your comments in the thread that is relevant, I get automatic alerts so I will see them.