Something interesting happened on Twitter earlier this week. Internet marketer and Bitcoin promoter Adam Guerbuez started to make some BIG tips to well known people using the ChangeTip service, giving Eminem $2,500 and Flavor Flav $1,500:
https://twitter.com/ChangeTip/status/668882567332888576
https://twitter.com/ChangeTip/status/668881139658915840
He tossed Mt. GOX scammer Mark Karpeles some bones too!
https://twitter.com/ChangeTip/status/668875238264823808
He also made some political donations! Dropping $500 to Justin Trudeau:
https://twitter.com/ChangeTip/status/668792817708208128
He even dropped a massive $800 tip on the possible future president of the United States Donald Trump:
https://twitter.com/ChangeTip/status/668794339317800960
You get the point. He went on a tipping spree giving what appeared to be thousands of dollars to well known individuals, and it had many people turning their heads and putting their begging hands out:
https://twitter.com/lumpbets/status/668807053713022977
https://twitter.com/CryptoChrisG/status ... 1511729155
https://twitter.com/CryptoTrap/status/6 ... 1382302721
https://twitter.com/Bitcoinloopven/stat ... 6340829184
Some people even got a little mad about the recipients of these tips!
https://twitter.com/orweinberger/status ... 7109852160
So this is pretty insane right? Guy tips famous people thousands of dollars and ChangeTip seems to be processing it and it's all legit.
However it turns out that despite fooling most people, the tips were not exactly what they appeared to be. You've probably figured out now that something's not quite right, and that a little exploit of sorts was found in ChangeTip's system.
We were interested in exactly how, so we caught up with Adam Guerbuez who granted us an exclusive interview:
Bitcoin Futures Guide: So how did you figure out this little trick on ChangeTip where you sent people what appeared to be thousands of dollars, causing even the official @Changetip bot on twitter to clearly confirm the high dollar amounts being sent?
Adam Guerbuez: Well I have always had a passion for testing and exploring the vulnerablities within different websites. With ChangeTip, I realised that they did not have a word filter list on their "custom moniker" feature, that allows any user to assign a monetary value to any word. The user then simply can tip others while using that word and the reciepient of the tip gets the amount that you assigned to it.
For example: you can send someone a tip for a "cup of coffee" and the person will get a couple of dollars if you assign $2 to that moniker. So I decided to try to assign a value to the word "Dollar", however I never expected that the people who built ChangeTip would have overlooked adding that word to the filtered word list. Not only was "Dollar" not on their list, but there was no list at all, any words are allowed and this just seemed very insecure.
So I brought it up to the company officials early in 2015 after I made some tweets using custom monikers like "Dollar" and others I created. The response? I was asked to not use such custom monikers and I just assumed that they were going to add the most obvious ones to a filtered wordlist at that point.
Fast forward many months later, November 23rd I had been trying to close a large promotional contract with a new client who asked me to show him what type of method I could deploy on Twitter to turn heads worldwide. I replied "Give me five minutes and I will show you." So I logged into my Changetip account and was going to create a controversial custom moniker and use it to send tips to many high ranking celebrities and government officials that was sure to turn heads.
By chance I tried to use "Dollar" thinking that ChangeTip had more than eight months to fix the issue, but to my ultimate surprise, I was able to send tips out with it and so I did. The rest is history.
BFG: So how did ChangeTip react this time?
AG: Well, I recieved an email from Nick Sullivan of ChangeTip after I had sent out all the tweets. He had said that the tips I was sending caused several team members to demand that my account be banned because my actions are hurting the ChangeTip brand.
Then a second email followed where they refrenced the tip that I sent to @magicaltux (Mark Karpeles) stating the following:
We’re rolling forward with the ban - as your behavior is a violation of this section of our terms of service: Is harmful, fraudulent, deceptive, threatening, harassing, defamatory, obscene, or otherwise objectionable; Jeopardizes the security of your ChangeTip account or anyone else’s (such as allowing someone else to log in to the Services as you)
Clearly they were angry that I may have offended the former owner of MtGOX when I tipped him for his prison canteen.
BFG: Do you think it was reasonable that they banned you for this?
AG: I am not going to debate their ruleset for using their platform, they run it as they see fit. They have still not fixed the custom moniker issue and I have seen several other people copying what I did now. Clearly they do not see fit to address that simple issue and banning my account from their service was more convienient.
End of interview.
So there you have it folks. ChangeTip had almost a whole year to fix an obvious insecurity in their system and they didn't. If they are willing to ban people for using a certain moniker to make tips, why don't they filter what words can be used? Why don't they add these checks in place instead of banning users?
We think that people who explore systems and find holes should be rewarded for finding problems, not punished. Adam had his fun but for now he's no longer allowed to use ChangeTip
Bitcoin Futures Blog prefers to use ProTip, an opensource decentralised tipping solution. We don't believe that people should rely on VC-funded centralised solutions. It is much more in the spirit of bitcoin to empower individuals to do as they want.
Have you found any interesting flaws in the systems of Bitcoin services? Contact us and we may feature you with an interview to explain it too!
