CSGOWild · @Wild
30th Dec 2017 from TwitLonger
Abuse
With the relaunch of Wild during a busy time, we've experienced some issues over the past week, some of which of have affected users and have been subject to scrutiny from other CS:GO skin sites.
Recently we were transitioning our database over from an EU region to a US region to accommodate more North / South American players with better latencies. In the process and due to an oversight on our end, our security on the databases was lowered significantly. This allowed a user to break into the server, get into the root account locally of the server and database, and read/write on user data.
Over the last 36 hours, a rogue account gained access to the database, was able to credit themselves emeralds and view provably fair data of matches. The provably fair on CSGOWild, like on other sites, is predetermined when a match is created (more explained below), and so someone with access to the provably fair backend data would be able to join profitable coin flips which they would know they would win. Presumably the goal of the user was to build up account emeralds, cycle it to a main account which is able to trade and then withdraw winnings in a short amount of time without site administrators noticing. Cycling is a method often used on sites like ours where you distribute your winnings over many accounts and coin flips to prevent detection from ring detection algorithms and human oversight to successfully withdraw skins from the site inventory.
We've caught the user, banned the related accounts and have refunded all affected users who lost coin flips to the dummy accounts with backend access. This affected approximately 5,000.00 Emeralds. After a coin flip is created the outcome of the coin flip is known. Anyone who can access the database will be able to determine who the winner will be (the creator, or the joiner). The full, current provably fair system is explained on our provably fair page, along with an example of how it works. In this case, the user was able to join games that they knew they would win and therefore profit an unusually high amount.
On other sites which are against the house (e.g. upgrades, crash, roulette, etc), the provably fair works in a similar way where the outcome is predetermined, however because you are depositing skins against the house, any unfair advantage you have will only affect the sites inventory, and not other players. We'll implement an improved pvp provably fair system which will incorporate client and server seeds (client and server sided data) to allow greater control for players over the provably fair system.
We'll also update the provably fair system to work in real time and draw a winner once a flip is joined, not when it is created, to prevent a hack in the future from being able to affect users with open coin flips on the site.
We'll update our security measures on database servers and databases, as well as implement additional monitoring to ensure we can determine breaches more quickly. Finally, our provably fair data in the database will be encrypted in real time which will prevent someone with only database access (e.g. from a hack) from being able to access any provably fair information on coinflips. This rework will take some time and will not affect coin flips which have already been made, but we will put all of our efforts on resolving this as soon as possible.