If you’re a darknet vendor who has the skills to really test the security of marketplaces where you might hawk your wares, what do you do? Well, if you’re a vendor known as “Cipher0007” on reddit, and you find problems, you try to alert the marketplace, and then go public if they don’t respond promptly.
This week, a vendor using a throwaway identity revealed that he had found two high-risk bugs, and was letting everyone know because the AlphaBay marketplace did not respond promptly to tickets he had opened to warn them. In a reddit post, he explained:
hi to all i have opened ticket to warn support of alphabay regarding 2 high-risk bugs without response now i have dumped all private messages of buyers and sellers over 200k with high risk with information of first/last name and addresses of users and track id of packs sent from sellers, and all users (id, nickname) over 1 million and 130k of this market with this bugs.
for proof any user can put id of pm here i reply you it with content of pm.
in final I would like to talk to admins regarding this situation.
same for hansa have bug to dump all users sign up is over 240k.
He also posted screenshots as proof, redacted by him.
In response to his post, a user tested his claim by providing a private message (PM) id number, and found it accurate.
AlphaBay responded with a statement, acknowledging the bugs:
We have been made aware of the bug that allowed an outsider to view marketplace private messages and we believe that the community has the right to be made aware of what information was obtained and what was done to mitigate the issue.
!—– What did the attacker obtain? —–
1) Marketplace PMs not older than 30 days, up to ID 2609452. IDs are not always sequential, as 218,000 messages were obtained. *** Conversations who did not receive a message in the last 30 days were not affected, as they were automatically purged *****
2) List of user IDs + username (nothing more).
!—– What steps have been done? —–
The attacker was paid for his findings, and agreed to tell us the methods used to extract such information. Our developers immediately closed the loophole in order to protect the security of our users.
!—– Anything else? —–
No other information was obtained. All your forum PMs, order information, BTC addresses, etc. are safe. Only recent (less than 30 days) PMs were obtained.
!—– What to do now? ——
No action is required from anyone, but we remind everyone to ALWAYS ENCRYPT SENSITIVE INFORMATION such as addresses, BTC addresses, tracking numbers, etc. Thanks to everyone for being a loyal customer, and to apologize to the community, we will be offering 20% discount on Escrow fees for the next week on all marketplace orders.
This was the second breach involving the marketplace’s PM in less than one year.
DataBreaches.net contacted Cipher0007 to ask more about the bugs and AlphaBay’s response, as well as the Hansa marketplace bug mentioned in the warning post.
In a series of private messages, Cipher0007 explained that the bug was in the system management of private messages, and it would be hard to find the bug in logs because information is sent in POST, not GET.
Because the process was slow to bypass AlphaBay’s dual captcha (anti-DDoS and login/register captchas) to extract the PMs, Cipher007 said he coded a bot to extract all the data. “i executed it in my 10 vps for dump data in sync, all this in silent.”
So there were four bugs that Cipher0007 identified, as he described it:
2 bug bypass captcha of challenge and captcha of of all market real bypass not anti captcha service.
1 bug to dump all users registered since market opened from 0 to 1135000 users but only id and usernames.
1 bug to dump all pms over 218000 in this pms all info of customers sellers and moderators and admins.
Surprisingly, perhaps, Cipher0007 states that he was not contacted by anyone offering to buy the PM data. He also tells DataBreaches.net that he deleted all the data from his HD, “but i have only last copy encrypted in secure place.”
As to the Hansa bug, Cipher0007 informs DataBreaches.net that he acquired a list of 240k users. For that bug, he received 1 BTC from the marketplace, which he claims was donated to Tor Project. He was not willing to reveal how much AlphaBay paid as a bounty, but says he was satisfied with the amount.
So a darknet vendor who claims that in other parts of his life, is a coder, pentester, and administrator, found bugs and took the high road when it came to protecting other vendors and buyers. Even on the darknet, there is responsible disclosure, it seems.
This is not the first time Cipher0007 has found and reported bugs, and he tells DataBreaches.net that he will have other revelations in the future.