Friday, December 29, 2017

The first stage of altcoins support at A-ADS

Altcoins support has been a recurring request both from our advertisers and publishers, due to the Bitcoin scaling issue which resulted in steep transactional fees and increased transactions waiting times. This issue will probably be resolved in the future but we must serve the present needs of our customers.

That's why starting today, the 29th of December, our advertisers can top up their accounts using the following altcoins:
  • Bitcoin Cash (BCH)
  • Ethereum (ETH)
  • Dash (DASH)
  • Litecoin (LTC)
There are a few things to keep in mind though:

First of all, your altcoin deposits will be converted to Bitcoin (BTC) which is our primary currency and we are not going to forsake it.

Secondly, for altcoin deposits there is a 3% conversion fee and a 0.5% fee will be taken by our payment processor.

Thirdly, altcoin deposits won't be displayed until they get confirmed. Since we use a third party to accept altcoins, it may require additional time to process the payment after it receives the required amount of confirmations (which depends on the currency).

We realize that altcoin withdrawals might be even a more important feature for publishers and we plan to implement it as well.

The A-ADS team wishes you Merry Christmas and Happy New Year!

Friday, November 10, 2017

November 7th statistics aggregation failure incident

On the 7th of November one of our statistics aggregation routines failed. As a consequence, new ad units were not displaying paid ads and thus earned nothing during the last 2-3 days.


We've deployed a fix today and sent a compensation to cover the estimated missing income to the active ad units which were affected by the issue.

The compensated amount is reflected in the "Received from A-ADS" value of the ad unit's all-time financial stats table.

Dear owners of the new ad units, we apologize for the inconvenience this incident might have caused to you.

Tuesday, October 24, 2017

October 24th accounting database incident

Dear A-ADS users,

Due to a mishap related to our development process, we've lost some of the traffic statistics and accounting data for the past 18 hours. Here's how it will affect you.

Publishers

The information about your earnings and traffic for the past 18 hours have been wiped and is impossible to recover. In order to compensate you, we will lower our fee from 20 to 0% for the next four days, which means you'll be earning more to make up for the lost revenue.

A certain number of publishers who have had withdrawals during this time period may see a negative or zero balance as a consequence of this incident. Please do not be alarmed, it's how it's meant to be. The problem will rectify itself in due time.

Advertisers

Advertisers will benefit from this incident because your spendings for the past 18 hours will not be accounted for, which means your campaigns have received 18 hours worth of free advertisement (not reflected in the statistics) and will keep on running until they run out of the allocated budget.

The bottom line

We are terribly sorry for the incident and we'll take measures to avoid such problems in the future.

Wednesday, September 20, 2017

Bug Bounty Program at A-Ads

This article might be outdated. Please see the updated version here:  https://a-ads.com/blog/2018-10-04-bug-bounty-program/


The security of our operations is our highest priority for many reasons: we're dealing with our clients money, we must protect our partners privacy, and we have our own reputation at stake. Either you are a professional security researcher or just a beginner, we welcome your security reports, however we'd love them to be useful and actionable, that's why we have certain recommendations in their regard.

  Security report guidelines:
  • Please provide the information on how the vulnerability you've discovered might be used both theoretically and practically, what its impact is, and all the pertinent details.
  • Please provide the exact steps on how the vulnerability can be exploited and how we can reproduce the issue ourselves. We'd love to see the demonstration of the attack which will not affect our existing users. You may create as many test user accounts as you need.
  • Please submit the bug report via our support channels (email or web site widget) but only after you've verified that it indeed works.
  • Use whatever language you prefer if you don't feel comfortable writing in English.
We are leaving the monetary reward you'll be getting for your report to our discretion. The reward will be paid in bitcoins. Please remember that we don't reward for the already known vulnerabilities which are listed below.

Also, if you're a security researcher and you're reading this information we'd like to draw your attention to the fact that our SPF record is indeed valid and we do not deem account deletion a security vulnerability.

Hall of fame

  • 2018-05-06  Ch Chakradhar (Spi3er) reported a catalog CSRF vulnerability ($30)
  • 2018-03-02 Waqar Vicky reported a number of issues and received a $100 bounty:
    • Password reset requests are not rate limited and can be used to perform a DoS attack
    • Our jQuery library is outdated and might be insecure
    • We allow extremely weak password at user registration
    • After logging off you can use a web browser back button to see previously opened web pages
    • After changing an email address other open sessions are not invalidated
  • 2017-12-10 Anonymous researcher reported a session termination vulnerability and earned $50.
  • 2017-11-22 Anonymous researcher reported a self XSS protection vulnerability - we don't consider it to be our vulnerability, but we may take measures to mitigate it in the future.
  • 2017-11-22 Anonymous researcher reported a tab open vulnerability and earned ~$100.
  • 2017-11-22 Anonymous researcher reported an SSL cookie vulnerability (investigating).
  • 2017-11-21 Anonymous researcher reported a minor issue related to the email change and earned a reward of ~$30.
  • 2017-11-16 Ch Chakradhar (Spi3er) reported a minor issue which made it possible to check the existence of a user by email and earned a reward of ~$30.
  • 2017-11-08 Anonymous researcher reported a vulnerability which gave him access to our staging database and to a third-party server which we used for monitoring and control. Thus he earned a reward of ~$500.
  • 2017-11-05 Ankit Bharathan reported a low-impact XSS issue in ad preview page and earned a reward of ~$50.
  • 2017-07-04 Jens Mueller (@jensvoid) responsibly reported a CORS misconfiguration vulnerability and earned a reward of ~$240.

Saturday, July 29, 2017

Our stance on Bitcoin forks

We believe that Bitcoin should be scaled on-chain and off-chain. SegWit2X does both things and, despite the fact that it is not perfect, it has an overwhelming support from miners and users.


We recognize only 1 Bitcoin - the one that has the most mining power proof of work behind it.

In the future we may decide to add support for a minority chain as well.

On the 1st of August in order to mitigate the increased risks of blockchain re-orgs we will require 6 confirmations for all deposits.

Monday, July 10, 2017

2017-07-05 incident report

Chronology


On Tuesday, July 04, we received a vulnerability report from Jens A Mueller (@jensvoid)

It appeared that our web server’s Cross-Origin Resource Sharing (CORS) settings were misconfigured and it potentially allowed a third party to take over user accounts and perform a man-in-the-middle (MITM) attack. We fixed the reported vulnerability in less than 24 hours.

On Wednesday, July 05, one of our users reported on a public forum that his bitcoin address had been altered.


Initially we didn’t attach much importance to it, but the following day we received a few similar reports and it became evident that something bad was happening.

On Thursday, July 06, we suspended our bitcoin withdrawals and asked our users via site, twitter, forum and email to double check their withdrawal addresses and contact us in case if they had been altered.


We received even more reports after that. 

We’ve spent lots of time trying to identify a problem and  discovered that:
- some of our backup routines didn't work properly;
- we had lots of logs, but they were mostly useless and hard to analyze;
- we had a few security-related bugs that were unrelated to the problem.

Eventually we came to a conclusion that the problem was most likely caused by the CORS issue mentioned in the beginning of this post.

Scope

The vulnerability enabled attacker (let's call him or her Alice) to access at least dozens of accounts of our users who visited her site while being signed in at A-ADS.

Alice was probably able to collect user names / emails of those users and alter any editable data of their accounts (e. g. withdrawal settings, emails and passwords). We don't know when she discovered this vulnerability and for how long she was exploiting it.

When Alice noticed that we had fixed the CORS issue, she hurried up to profit from her possessed abilities and altered withdrawal addresses of the controlled accounts before their sessions expired.

She was smart enough to use unique IPs and bitcoin addresses, so we couldn't identify neither her, nor the exact amount of the hacked accounts.

Aftermath

On Monday, July 07, we resumed the bitcoin withdrawals. We did it with mixed feelings because we still have more questions than answers.


According to our estimations Alice was able to withdraw only a fraction of bitcoin and we'll be able to cover it from our funds.

She may still control some of the accounts (in case if she managed to change their passwords) and profit from them. So if you haven't signed in for a while, please check your account and contact support in case of a problem.


We apologize to our users for this incident and thank them for their patience. We hope that the affected users will not stop bombing our support with their messages until their issues get fully resolved. Unfortunately it may take a lot of time and we apologize for that too. 

We also Jens A Mueller for his precious help.

We feel that we got a valuable lesson, and we are still to do our homework, but we would like to ask Alice and other hackers to refrain from attacking us in the future.

If you find any serious vulnerability, please send us a bug report with proof of concept as @jensvoid did and we will pay you a bounty depending on the potential damage. It would be ethically correct and would save lots of time for both you and us.

Thursday, June 15, 2017

Introducing CPM bids - a new way to buy traffic at A-Ads

Unlike other advertising networks we neither use JavaScript nor cookies in our banners which means that our means of fending fake traffic off are limited. This is why we were reluctant to implement CPM and only offered a less traditional payment model where advertisers spend the money at the chosen pace and get a share of impressions, regardless of their quality and quantity.

However due to a popular request we've decided to offer a CPM-based advertising as well.

Along with our normal mode of operation we are now introducing CPM bids in order to give you a flexibility in managing your budget and controlling your expenses.

You can choose either "Daily budget" or the "CPM" model in the simplified campaign creation interface.


You are free to use both models at the same time -- see the "Budget" tab in your campaign's settings.

CPM bids allow you to pay exactly what you want for the number of impressions that you want. Bids are paid upfront from the advertising campaign budget (it may take a few minutes before the bid changes its state to "Funded").



Please note that we do not guarantee the quality of the traffic that you receive -- we only ensure that you get the wanted number of impressions generated by unique IP addresses in the scope of your advertising campaign.

Mind that if the price of the traffic is higher than your bid then you may never receive your impressions. You can cancel your bid any time and the remaining funds will be returned to your campaign (it may take a few minutes).

Monday, May 1, 2017

Withdrawal thresholds increase

Withdrawal thresholds increase

As a response to Bitcoin congestion problems, we have increased the minimum withdrawal threshold to 0.001 btc and the default withdrawal threshold to 0.002 btc.

These limits apply only to Bitcoin transactions. If you want to withdraw less than 0.001 btc, you can enable FaucetSystem in your withdrawal settings.

Friday, April 14, 2017

Micro-withdrawals via FaucetSystem

Since the beginning of 2017 we've being searching for ways to keep the withdrawal thresholds low despite the rise of bitcoin fees.

Recently we found a temporary solution to this problem: your satoshis can be withdrawn to FaucetSystem - a user-agnostic service that accumulates off-chain micro-transactions before sending them to your bitcoin address.

You can enable FaucetSystem in your user (or ad unit) settings. This option hides 'Withdrawal threshold' as irrelevant because FaucetSystem allows 1-satoshi transactions.

Disclaimer:

We believe that FaucetSystem is a legit service, but we can't guarantee the safety of the funds sent to them. Please use at your own risk!

Wednesday, January 25, 2017

Bitcoin network congestion problems & withdrawal threshold increase

Bitcoin network congestion

It is well known that due to the temporary anti-DoS limit introduced by Satoshi Nakamoto in 2010, the current Bitcoin throughput is constrained to about 3 transactions per second.

With every difficulty increase it temporarily drops and then starts growing with miners' hashing power until the next difficulty adjustment.

That is why on the 21st of January after the expected 16.64% difficulty increase many Bitcoin users faced higher bitcoin fees and longer transaction confirmation times. Dozens of thousands of unconfirmed transactions still reside in the mempool.


It will probably take a few days for most of them to get confirmed. But the situation is going to become worse with every difficulty adjustment unless Bitcoin adoption stops or its throughput is increased.

Bitcoin scalability controversy


Bitcoin community has been discussing the scalability problem for years and despite the fact that it came up with a few potential solutions, it has been failing to find the one that would satisfy everybody.

According to Nodecounter, about 17% of mining power is in favour of increasing the block size limit via a hard fork proposed by Bitcoin Unlimited team, whereas 24% support Segwit proposed by Bitcoin Core developers. For some reason the compromise that would include the benefits of both solutions has not yet been achieved.

This leaves us in the reality where a constrained Bitcoin throughput diminishes our ability to handle micro-transactions and forces us to keep users' money longer than we would prefer to.

Low value transactions

The problem with micro-transactions is that they take the same amount of block space as high value transactions, but it doesn't make economic sense to add high fees to them.

Hence they have a relatively low fee and in the current state of Bitcoin there is no guarantee that the low fee transaction will ever be confirmed.

E. g. the recommended fee currently is 120 satoshi per byte and the average transaction size is 226 bytes, thus if you want to quickly move 10000 satoshi, you have to pay a fee of 27120 satoshi.

In order to save the block space we use hourly sendmany transactions to pay our users. It allows us to send money to multiple recipients in a single transaction. E. g. if there are 64 recipients, then the transaction is only ~2309 bytes, or about 4329 satoshi per recipient (that is still prodigal for 10000 satoshi withdrawals).

That's why use use a small fee of 20 satoshi per byte (or 721 satoshi per recipient). It worked just fine until recently.

"Insufficient funds" incident

Yesterday we noticed that our bitcoin node couldn't create new transactions and returned the "Insufficient funds" errors despite the fact that the listaccounts command returned sufficient balance on our account (unlike getbalance and getinfo calls that returned a negligible balance).

We investigated the cause of this inconsistent behaviour and figured out that all of our hourly outgoing transactions got stuck after the latest difficulty increase thus forming a long chain of unconfirmed transactions. Our bitcoin node refused to continue this chain and decided to wait for confirmation of the change.

Thanks to ViaBTC pool for its transaction accelerator that enabled us to push through the stuck transactions and thus temporarily solve the problem.

Really, thank you!

Withdrawal thresholds increase

Recently we increased the default withdrawal threshold to 0.0001 btc , but many users still had lower values in their settings.

Since they might be unaware of how expensive it could be for them to spend the received micro-amounts, we decided to increase their withdrawal thresholds to 0.00100001 btc (while allowing them to set it back to 0.0001 btc if they want to).
 
We still need to develop a long-term solution and may be forced to increase the minimal withdrawal threshold, the interval between transactions, or to add a withdrawal fee in the future.

Wednesday, January 18, 2017

A 10x increase of the default withdrawal threshold

Dear A-ads users,

For security reasons we don't want to keep your money for a long time. That's why once your earnings hit the configurable withdrawal threshold, we send them to your bitcoin address automatically (on a daily basis).

The default withdrawal threshold used to be BTC 0.0001 (10 thousand satoshi) but due to increased bitcoin transaction fees caused by the limited blockchain capacity we decided to increase it to BTC 0.001 (100 thousand satoshi).

You still have the ability to set the minimum withdrawal threshold to BTC 0.0001 however you must keep in mind that if you want to receive many tiny transactions it might be very expensive for you to spend them later. E. g. if your spending transaction has hundreds of inputs, it may require a fee of about $30 worth of bitcoins.

Despite our desire to withdraw funds as soon as possible if bitcoin fees continue to rise we may be obliged to adjust our withdrawal policy.