Adblock breaks this site

Report on Virtual

Discussion in 'Report A Scammer Archive' started by Talon, Mar 26, 2015.

Thread Status:
Not open for further replies.
  1. Talon

    Talon Grand Master
    $300 USD Donor New

    Joined:
    Oct 8, 2014
    Posts:
    4,073
    Referrals:
    17
    Sythe Gold:
    1,267
    Discord Unique ID:
    1007900041333198960
    Discord Username:
    talon
    I'm LAAAAAAAME In Memory of Jon Live Streamer Official LoL Rank Verifier Sythe's 10th Anniversary SytheSteamer Rust Player
    CoolHam Nitro Booster Verified Ironman Sythe's 15th Anniversary
    Report on Virtual

    Scammer's profile link: http://www.sythe.org/members/365137-virtual.html

    Explain the service: $400 for him to make me a website for RSGP and CS:GO items buying/selling. Paid $26 upfront, then when he delivered I paid 70%.

    Sythe PM picture:
    http://gyazo.com/deb26e305f4d7ddf6e7167c53b041069
    http://gyazo.com/95cd447981e6269dd576a0384a3711bd
    http://gyazo.com/bcda2b3d5163d82e3386fd515b6f66da - the last picture is him pming me saying exactly what i said in the
    second picture

    Skype profile ID & conversation:
    http://gyazo.com/bdc9bc7e61c9a9abcaca56e5c19072f4

    Proof that the service was not completed:
    The services were completed, however it might as well be incomplete. I was told my website was going to be secure in the
    following screenshots: http://gyazo.com/77f8dfb1be2bc0100ddd976e95a10435 http://gyazo.com/25d1210db74c96d59d11ff23ca93422c

    Other relevant trade screenshots: N/A

    Other Information:

    The thread advertises professional websites, I feel like what I purchased was far from that. For a website to be professional, it should come with things as standard, such as security, one aspect where you fell short on a few occasions, leaving my site vulnerable. I had a friend look over the code and thus determined the code sloppy and unprofessional. after some consideration, I don't feel like I got my moneys worth at all and I feel robbed.

    The point of this report is not to get the issues fixed, As I had them fixed already, but its to point out the issues and ask for any advice on what to do about it, if nothing else, to enforce him to step up his game and take it more serious. I would greatly appreciate a partial refund.


    A quote from my friend who reviewed the code:

    The code is extremely sloppy and poorly written, half of the forms are done without any sort of security, i.e no sql injection prevention etc. any data in the database is loaded without any validaty checks and any data stored in the database has no validaty checks eiter, so anyone who knows what they're doing, could easily inject content into the db, which would be loaded on select pages, could easily empty/dump all the database tables etc The code is worth nowhere near the amount paid for it and could have been written in a matter of hours. It all seems like it was thrown togethor following tutorials etc. It would be outrageous if he was to continue selling this kind of work, atleast for the prices he is doing whilst claiming it to be professional.

    EDIT: I linked him my report on Skype. He began saying he quit making websites and that he was closing his thread (which he did).
     
  2. Dial

    Dial Experienced Web Developer
    $200 USD Donor New Pirate PHP Programmers

    Joined:
    Jul 12, 2010
    Posts:
    5,739
    Referrals:
    32
    Sythe Gold:
    126
    Sythe's 10th Anniversary Two Factor Authentication User MushyMuncher Member of the Month Winner Easter 2015
    Report on Virtual

    Talon asked me to give a bit of input on it. I'll try to remain as unbiased as possible (since Virtual is technically my competition) while giving my quick input so that any mods who don't know code have a better understanding.

    I was shown by Talon and his new developer a file that had a major SQL injection problem. It was a register form, and essentially if you typed even an apostrophe in the input field it would have screwed up the script and resulted in errors, let alone if you typed something like '; DROP ALL TABLES, which would have ruined the entire database. This was the only security vulnerability that I personally saw, but they told me that they fixed several others, including a form upload where people could upload any file they wanted (think ability for any user to upload RATs and PHP scripts).

    Now, being realistic, that could have been an oversight by Virtual and maybe he would have fixed it if allowed to do so. It depends entirely on how many of these mistakes happened to know whether it was intentional to be malicious, if it was ignorance, or if it was just an oversight (as they do happen frequently in this field when you're trying to manage tons of different files and lines of code). If these mistakes were because he didn't know how to protect against it, then he shouldn't be able to service websites on Sythe as all of his clients would be at risk of mass hackings. But if it was just a mistake, then he should be allowed to continue.

    As far as I saw, there were no security problems with user security, just backend security with SQL injections (which are the easiest things to protect against, and the first you learn when you start website development). Everything was hashed properly and kept secure from what files and code I reviewed, although some of it may have been fixed by his new developer.

    I'm honestly not sure what the outcome of this report should be based on the fact that I didn't see the entire original code (Virtual if you want to send me the original code, I could review it and vouch for you if there aren't many/any problems like this other than the individual one I saw).

    My two cents, as I was asked to post.
     
  3. Dave

    Dave Legend
    Legendary Steve Retired Administrator

    Joined:
    Oct 31, 2010
    Posts:
    25,909
    Referrals:
    18
    Sythe Gold:
    18,211
    Discord Unique ID:
    178371480025825281
    Sythe Awards 2013 Winner Former OMM Detective STEVE In Memory of Jon Poker Chip Pokémon Trainer (2)
    Some like it hot
    Report on Virtual

    I dished him a PM, imo he should just fix this small problem, seems mike is saying its a really quick fix?

    If he doesn't fix it and because of this your site is unsafe and cannot be used, then you should be able to chargeback the payment. Go ahead and pm some other staff for input. I will be out of town for two days and cannot follow up till then so if someone else can jump in Id appreciate it
     
  4. Dial

    Dial Experienced Web Developer
    $200 USD Donor New Pirate PHP Programmers

    Joined:
    Jul 12, 2010
    Posts:
    5,739
    Referrals:
    32
    Sythe Gold:
    126
    Sythe's 10th Anniversary Two Factor Authentication User MushyMuncher Member of the Month Winner Easter 2015
    Report on Virtual

    Virtual sent me his code to review, so I'm going over it now. My input may not matter, but as someone who can read the code, I will give my insight as to how many problems there are.

    KEEP IN MIND THAT THIS WAS SENT TO TALON, AND THEN VIRTUAL DID SOME MINOR FIXES OVER TEAMVIEWER AFTER THIS, SO SOME MAY BE FIXED ON THE LIVE VERSION.

    Glitch found when looking for SQL injections in ************

    Code:
    if(strlen($message) < 10 || strlen($password) > 5000){
    
    SQL injection problem in register.php, although later sanitized in functions.php, still not a wise decision

    Code:
    $name = $_POST["name"];
    $email = $_POST["email"];
    $pass = $_POST["password"];
    
    SQL injection problem in login.php, NOT later sanitized in functions.php

    Code:
    $email = $_POST["email"];
    $pass = $_POST["password"];
    
    That's all I found, and they're all extremely easy things to fix. There are of course other small things that I would recommend against, but none of them are a security issue.

    With that being said, I'm truly not sure how much should be refunded (if any) because these are all easy to fix. It's a shame that they were released on a live site, but sometimes that happens.

    It's my understanding that Talon still owes Virtual $100 - maybe that can be waived by mutual agreement, or at least partially? Talon paid his new developer $50 to fix these problems, and didn't give Virtual the chance to.

    I've also reviewed the new code, and not much has been changed other than a few more sanitizations done in functions. The glitch is still there, but the injection spots are all fixed.
     
  5. Dave

    Dave Legend
    Legendary Steve Retired Administrator

    Joined:
    Oct 31, 2010
    Posts:
    25,909
    Referrals:
    18
    Sythe Gold:
    18,211
    Discord Unique ID:
    178371480025825281
    Sythe Awards 2013 Winner Former OMM Detective STEVE In Memory of Jon Poker Chip Pokémon Trainer (2)
    Some like it hot
    Report on Virtual

    Talon it seems he was more than willing to help you out to fix these issues. You shouldn't charge back.

    If the changes were that minor you and virtual should work out on agreement on paying a portion of what was owed. However the majority should go to virtual seeing as he completed nearly the entire thing

    Let me know if you guys can't figure it out
     
  6. Talon

    Talon Grand Master
    $300 USD Donor New

    Joined:
    Oct 8, 2014
    Posts:
    4,073
    Referrals:
    17
    Sythe Gold:
    1,267
    Discord Unique ID:
    1007900041333198960
    Discord Username:
    talon
    I'm LAAAAAAAME In Memory of Jon Live Streamer Official LoL Rank Verifier Sythe's 10th Anniversary SytheSteamer Rust Player
    CoolHam Nitro Booster Verified Ironman Sythe's 15th Anniversary
    Report on Virtual

    It's resolved, thanks Dave.
     
  7. S

    S noobies

    Joined:
    Mar 7, 2011
    Posts:
    15,907
    Referrals:
    4
    Sythe Gold:
    3,618
    Two Factor Authentication User
    Report on Virtual

    Locked.
     
< Report for ins4ne587 | Ins4ne587 Scammed Me For ~15M 07GP >
Thread Status:
Not open for further replies.


 
 
Adblock breaks this site