The first stage of altcoins support at A-ADS

Altcoins support has been a recurring request both from our advertisers and publishers, due to the Bitcoin scaling issue which resulted in steep transactional fees and increased transactions waiting times. This issue will probably be resolved in the future but we must serve the present needs of our customers.

That's why starting today, the 29th of December, our advertisers can top up their accounts using the following altcoins:

• Bitcoin Cash (BCH)
• Ethereum (ETH)
• Dash (DASH)
• Litecoin (LTC)

There are a few things to keep in mind though:

First of all, your altcoin deposits will be converted to Bitcoin (BTC) which is our primary currency and we are not going to forsake it.

Secondly, for altcoin deposits there is a 3% conversion fee and a 0.5% fee will be taken by our payment processor.

Thirdly, altcoin deposits won't be displayed until they get confirmed. Since we use a third party to accept altcoins, it may require additional time to process the payment after it receives the required amount of confirmations (which depends on the currency).

We realize that altcoin withdrawals might be even a more important feature for publishers and we plan to implement it as well.

The A-ADS team wishes you Merry Christmas and Happy New Year!

November 7th statistics aggregation failure incident

On the 7th of November one of our statistics aggregation routines failed. As a consequence, new ad units were not displaying paid ads and thus earned nothing during the last 2-3 days.


We've deployed a fix today and sent a compensation to cover the estimated missing income to the active ad units which were affected by the issue.

The compensated amount is reflected in the "Received from A-ADS" value of the ad unit's all-time financial stats table.

Dear owners of the new ad units, we apologize for the inconvenience this incident might have caused to you.

October 24th accounting database incident

Dear A-ADS users,

Due to a mishap related to our development process, we've lost some of the traffic statistics and accounting data for the past 18 hours. Here's how it will affect you.

Publishers

The information about your earnings and traffic for the past 18 hours have been wiped and is impossible to recover. In order to compensate you, we will lower our fee from 20 to 0% for the next four days, which means you'll be earning more to make up for the lost revenue.

A certain number of publishers who have had withdrawals during this time period may see a negative or zero balance as a consequence of this incident. Please do not be alarmed, it's how it's meant to be. The problem will rectify itself in due time.

Advertisers

Advertisers will benefit from this incident because your spendings for the past 18 hours will not be accounted for, which means your campaigns have received 18 hours worth of free advertisement (not reflected in the statistics) and will keep on running until they run out of the allocated budget.

The bottom line

We are terribly sorry for the incident and we'll take measures to avoid such problems in the future.

Bug Bounty Program at A-Ads

This article might be outdated. Please see the updated version here:  https://a-ads.com/blog/2018-10-04-bug-bounty-program/

The security of our operations is our highest priority for many reasons: we're dealing with our clients money, we must protect our partners privacy, and we have our own reputation at stake. Either you are a professional security researcher or just a beginner, we welcome your security reports, however we'd love them to be useful and actionable, that's why we have certain recommendations in their regard.

  Security report guidelines:

• Please provide the information on how the vulnerability you've discovered might be used both theoretically and practically, what its impact is, and all the pertinent details.
• Please provide the exact steps on how the vulnerability can be exploited and how we can reproduce the issue ourselves. We'd love to see the demonstration of the attack which will not affect our existing users. You may create as many test user accounts as you need.
• Please submit the bug report via our support channels (email or web site widget) but only after you've verified that it indeed works.
• Use whatever language you prefer if you don't feel comfortable writing in English.

We are leaving the monetary reward you'll be getting for your report to our discretion. The reward will be paid in bitcoins. Please remember that we don't reward for the already known vulnerabilities which are listed below.

Also, if you're a security researcher and you're reading this information we'd like to draw your attention to the fact that our SPF record is indeed valid and we do not deem account deletion a security vulnerability.

Hall of fame

• 2018-05-06  Ch Chakradhar (Spi3er) reported a catalog CSRF vulnerability ($30)
• 2018-03-02 Waqar Vicky reported a number of issues and received a $100 bounty:
  • Password reset requests are not rate limited and can be used to perform a DoS attack
  • Our jQuery library is outdated and might be insecure
  • We allow extremely weak password at user registration
  • After logging off you can use a web browser back button to see previously opened web pages
  • After changing an email address other open sessions are not invalidated
• 2017-12-10 Anonymous researcher reported a session termination vulnerability and earned $50.
• 2017-11-22 Anonymous researcher reported a self XSS protection vulnerability - we don't consider it to be our vulnerability, but we may take measures to mitigate it in the future.
• 2017-11-22 Anonymous researcher reported a tab open vulnerability and earned ~$100.
• 2017-11-22 Anonymous researcher reported an SSL cookie vulnerability (investigating).
• 2017-11-21 Anonymous researcher reported a minor issue related to the email change and earned a reward of ~$30.
• 2017-11-16 Ch Chakradhar (Spi3er) reported a minor issue which made it possible to check the existence of a user by email and earned a reward of ~$30.
• 2017-11-08 Anonymous researcher reported a vulnerability which gave him access to our staging database and to a third-party server which we used for monitoring and control. Thus he earned a reward of ~$500.
• 2017-11-05 Ankit Bharathan reported a low-impact XSS issue in ad preview page and earned a reward of ~$50.
• 2017-07-04 Jens Mueller (@jensvoid) responsibly reported a CORS misconfiguration vulnerability and earned a reward of ~$240.

Our stance on Bitcoin forks

We believe that Bitcoin should be scaled on-chain and off-chain. SegWit2X does both things and, despite the fact that it is not perfect, it has an overwhelming support from miners and users.

We recognize only 1 Bitcoin - the one that has the most mining power proof of work behind it.

In the future we may decide to add support for a minority chain as well.

On the 1st of August in order to mitigate the increased risks of blockchain re-orgs we will require 6 confirmations for all deposits.

2017-07-05 incident report

Chronology

On Tuesday, July 04, we received a vulnerability report from Jens A Mueller (@jensvoid)

It appeared that our web server’s Cross-Origin Resource Sharing (CORS) settings were misconfigured and it potentially allowed a third party to take over user accounts and perform a man-in-the-middle (MITM) attack. We fixed the reported vulnerability in less than 24 hours.

On Wednesday, July 05, one of our users reported on a public forum that his bitcoin address had been altered.

Initially we didn’t attach much importance to it, but the following day we received a few similar reports and it became evident that something bad was happening.

On Thursday, July 06, we suspended our bitcoin withdrawals and asked our users via site, twitter, forum and email to double check their withdrawal addresses and contact us in case if they had been altered.

We received even more reports after that. 

We’ve spent lots of time trying to identify a problem and  discovered that:

- some of our backup routines didn't work properly;

- we had lots of logs, but they were mostly useless and hard to analyze;

- we had a few security-related bugs that were unrelated to the problem.

Eventually we came to a conclusion that the problem was most likely caused by the CORS issue mentioned in the beginning of this post.

Scope

The vulnerability enabled attacker (let's call him or her Alice) to access at least dozens of accounts of our users who visited her site while being signed in at A-ADS.

Alice was probably able to collect user names / emails of those users and alter any editable data of their accounts (e. g. withdrawal settings, emails and passwords). We don't know when she discovered this vulnerability and for how long she was exploiting it.

When Alice noticed that we had fixed the CORS issue, she hurried up to profit from her possessed abilities and altered withdrawal addresses of the controlled accounts before their sessions expired.

She was smart enough to use unique IPs and bitcoin addresses, so we couldn't identify neither her, nor the exact amount of the hacked accounts.

Aftermath

On Monday, July 07, we resumed the bitcoin withdrawals. We did it with mixed feelings because we still have more questions than answers.

According to our estimations Alice was able to withdraw only a fraction of bitcoin and we'll be able to cover it from our funds.

She may still control some of the accounts (in case if she managed to change their passwords) and profit from them. So if you haven't signed in for a while, please check your account and contact support in case of a problem.


We apologize to our users for this incident and thank them for their patience. We hope that the affected users will not stop bombing our support with their messages until their issues get fully resolved. Unfortunately it may take a lot of time and we apologize for that too. 

We also Jens A Mueller for his precious help.

We feel that we got a valuable lesson, and we are still to do our homework, but we would like to ask Alice and other hackers to refrain from attacking us in the future.

If you find any serious vulnerability, please send us a bug report with proof of concept as @jensvoid did and we will pay you a bounty depending on the potential damage. It would be ethically correct and would save lots of time for both you and us.

Introducing CPM bids - a new way to buy traffic at A-Ads

Unlike other advertising networks we neither use JavaScript nor cookies in our banners which means that our means of fending fake traffic off are limited. This is why we were reluctant to implement CPM and only offered a less traditional payment model where advertisers spend the money at the chosen pace and get a share of impressions, regardless of their quality and quantity.

However due to a popular request we've decided to offer a CPM-based advertising as well.

Along with our normal mode of operation we are now introducing CPM bids in order to give you a flexibility in managing your budget and controlling your expenses.

You can choose either "Daily budget" or the "CPM" model in the simplified campaign creation interface.

You are free to use both models at the same time -- see the "Budget" tab in your campaign's settings.

CPM bids allow you to pay exactly what you want for the number of impressions that you want. Bids are paid upfront from the advertising campaign budget (it may take a few minutes before the bid changes its state to "Funded").

Please note that we do not guarantee the quality of the traffic that you receive -- we only ensure that you get the wanted number of impressions generated by unique IP addresses in the scope of your advertising campaign.

Mind that if the price of the traffic is higher than your bid then you may never receive your impressions. You can cancel your bid any time and the remaining funds will be returned to your campaign (it may take a few minutes).