Primedice the world’s largest bitcoin gambling website and casino recently revealed that they system had been hacked costing them well over a million dollars’ worth of bit coin. In a show of transparency and warning to other organizations, Primedice revealed the timeline, along with the method that was used to exploit their system.

The timeline reads like so many other hacks over the last few years. Not wanting to delay the product any further, Primedice released the third version of the software after a short week of beta testing. Shortly after this, Primedice begun to notice that one account had become the highest bettor in their history and almost astoundingly managed to beat the House Edge consistently without appearing to do any wrong doing.

Despite delaying the hacker’s transactions periodically to investigate, Primedice continued to be unable to detect any malicious activity. That is until they brainstormed the possibility of a timing attack. To ensure that the bets were not tampered with, “a user is shown an encrypted random value (the server seed) before they bet and they must also submit their own random value (the client seed).” The values are then combined to determine who wins, but the site reveals the “decrypted server seeds (to assure users no bet manipulation has occurred) and puts a new random seed in place, essentially trashing the old revealed seed.”

This hacker manipulated the server handling the seeds by sending large amounts of requests in short a time causing active seeds to be decrypted. Worse yet, the hacker managed to work around the patch the developer implemented to steal an additional 2000+ bitcoins and left none a too subtle message and dox of a Primedice employee after being asked to return the stolen bitcoin on a bitcoin talk forum about his winnings.

Your offer is declined. Your demands are laughable. I’m happy to walk away and leave you be, but if you’re going to take this further, then so will I. I don’t think you want this to go further. I actually enjoy this shit [sic]. Your move.

Oh, and by the way, there are some pending withdrawals that you need to process.

If there is any lesson to take away from Primedice, it’s that software development is not an easy task and in corporate environments, it is easy to overlook a security feature when a team of programmers have rigid deadlines (I am looking at you Adobe Flash). A mindset that has to change amongst developers is that your product doesn’t function if it’s not secure. I know this will cause a push-back from managers and high level members of an organization, but it is a mindset that needs to change, nonetheless.