To Vendors and market admins regardless of which market you use/operate: please make sure to read the second part of this post too.
Part 1: Small issue with username sanitizing
Affected markets: Acropolis, DHL and two other markets but the bug is not exploitable on them
Note: I only tested the markets listed on the superlist, not others and not the ones that are under the warning section at the bottom.
The issue: Some time ago this article got published which is about an issue that exists for years. It basically explains you how one could use similar looking, but different characters in URLs to phish users.
Quoting from the linked article:
Many Unicode characters, which represents alphabets like Greek, Cyrillic, and Armenian in internationalised domain names, look the same as Latin letters to the casual eye but are treated differently by computers with the completely different web address.
For example, Cyrillic "а" (U+0430) and Latin "a" (U+0041) both are treated different by browsers but are displayed "a" in the browser address.
In the recent light of the market issues reported by Cipher0007 and HugBunter, I decided to play a bit around with these confusing unicode characters on DNMs.
The first part of this post deals with exploiting these similar looking characters to register accounts that appear to be official market accounts. So I tested the markets if they allow users to register with such characters by trying to register with the name 'аdmin'. While this looks like the normal account-name admin, which should be reserved on every market, it is not since it uses the cyrillic "а" instead of the latin "a".
The markets mentioned above did not limit usernames to alphanumeric characters, like they should (allowing some other characters like dashes should also be okay). So I was able to register an official-looking account, which could be used for a phishing attack. Hpwever Acropolis and DHL also have flairs/visual differences between buyer, vendor and market staff accounts which make such a phishing attack harder.
Current situation: I asked the other mods to verify the vulnerabilities by logging into throwaway accounts on the affected markets, which received a message from the fake admin account. After that I reported the issues to the support, and I published this post. No warnings have been added to the superlist as this is not critical and the danger is not that high given the user flairs on the markets.
Part 2: OpSec heads up
The other issue: These similar looking unicode characters could also be used in messages on (probably) all markets. It makes little sense filtering them since they could be used by users who write in their first language, which legitemately contains these chracters.
However they could also be used to send malicious links, as explained in the article linked at the beginning. A concrete example is law enforcement creating an account on a market and becoming a regular customer of a vendor.
After they gained some trust with test purchases, they send a privnote link for example. The difference is that it does not lead to the real privnote-site but a malicious look-alike copy, e.g. 'privnotе.com/message1234' which contains the cyrillic little letter Ie instead of the latin e.
As described in the part about punycode in the article, they just have to register a domain and set up a privnote-clone that serves malicious javascript code. The vendor or market staff would only see a site that looks exactly like the real site and even with a seemingly correct url in the address bar.
Market staff could potentially also be de-anonymized by sending them a link to a fake tracking page in a dispute.
Note: these malicious links do not work for hidden service links as .onion names can only contain the digits 2-7 and the letters a-z.
Threat: The attack is not the most elegant or sophisticated one, but it could be used to make high profile users to execute javascript code without even having to take over a market and without them getting suspicious. Malicious JS code was used several times in the past to successfully de-anonymize Tor users.
How one can protect yourself:
Unfortunately, Firefox (and therefore the Tor browser as it is based on it) will not get an automatic fix to disable punycode in urls. So here is what you can do:
Easiest:
Type about:config in address bar and press enter. Then type Punycode in the search bar. Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to True.
Other:
Set your security slider to high in the Tor browser as exaplined at the top of this page.
When in doubt you can always type in the link (or at least the domain) manually. For example if you get the link privnotе.com/message1234 you open a new tab, type in privnote.com and then copy/paste the rest of the link after it.
Impressive work