There are a few good lessons that can be learned here:
- If you’re going to have any sort of site with user accounts, ongoing earnings, prizes, etc. and/or anything that can convert or relate to actual monetary value, then I’d recommend not using a standard open-source platform (i.e. Joomla). If there’s money involved, then you’ll quickly attract hackers.
- Don’t attempt to do any sort of worth-related calculations client-side, returning a response via a form POST. Any savvy geek will mess with the HTTP headers (using Charles, for example) and will get rich quick.
- Get your site a proper security audit from an outfit like security-assessment.com. It can cost a few grand, but for the sake of an embarrassing mess, I’d say it’s money well spent.
I’m interested to see what will ensue.