-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hello community.
the user /u/Cipher0007 contacted us mods though the mod mail and
delivered proof that he is able to read private alphabay messages.
I have verified it by creating two new accounts, sending a message
between them, providing the user the message ID and he showed me
the content of it.
you can view his post here
https://www.reddit.com/r/DarkNetMarkets/comments/5pg8tn/highrisk_bugs_regarding_alphabay_marketplace/
the other mods have not chimed in on that issue but for now
I have done the following:
- make this stickied post
- replaced the alphabay addresses on the superlist with a
warning about this bug till it is resolved
- flaired and approved the original post by /u/Cipher0007
- changed the color of the stickied announcements to make
this bug more visible [because I tend to skip the two green
announcements often when I visit this sub since they are
usually the same every week]
if you want to verify the bug yourself please create THROWAWAY
accounts and send messages between them. otherwise everybody
could get the messages from anyone by simply posting the ID of
the desired messages without knowing how the exploit the bug.
update #1: the user also stated that he was able to dump the list
of hansa users. at the time of writing he has not delivered proof
for that but he said that he will look further into that issue.
the post will be updated if more details are available in that case.
update #2: alphabay response: https://www.reddit.com/r/DarkNetMarkets/comments/5ph0rz/alphabay_statement_on_pms_bug_fixed_now/
update #3: Cipher0007 provided us mods with a hansa vulnerability
that allows everbody to get a list of all hansa username. it has
been reported to hansa and a note has been added to the superlist.
you can verify the signature with my key here
https://www.reddit.com/r/DarkNetMarkets/wiki/pgp#wiki_.2Fu.2Fwombat2combat
this post will be updated in the future.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJYhOWNAAoJEMPzj/CHV15DM2UQAKYnz8LwXhW545tSEMo/1h+W
mhou84AY2a2emzx0e4ZNkNU3egbNRqkoC+naW7HlPGDR/FcX1F0xYtFKuVCDXEXt
1Q9CxVzDTWlzDhSqDwG2X2uIF4OhPRxnoFnT9KN4+GIwPVD3m5NEOiwGQdLMsqco
kO1xNiwHaAyzfVdue+rVKfI8DGNZPCctyelWr2i1orgp/7ugXWKDtfqp3cRo9Rzr
dgzqt++12t4sRULQ3R/nLISkNhzh/WFwPy/5mSM2yPSEqOxOI2gwGNMHsUflIbN1
kdDy3utKGm/k5i/O6tGk1jMcx6UpNJKxnhoDMNJIQI+Y+f6ftl9x3tPTBHWj5BNA
Jh/v0GgUuZ55KbiIA4dCDwBZPdCOToI6BVcnpM+/ci9jmXlKcZppa6eAzUxnEDVI
yBVDfK9ngEBE5+0/wY0f9f8pxWLFYq7UQ35QB90GqMX0vqstZUfC65iqDN7exvYE
SlwVeVB0WU/Tuk9run/CYmHk7nmUFVbkQ6JwIRZXOrb0V254Z59oIhkAgK9o/7s+
lMeGc1KslaXv2rGV3lCvCAJTNkfG5sMX5ts7OKxeY3KN1h4SmnBjX3flvIo2ndQ+
M3DnOBgtLFanBpJIXD2AYiKU0zLPR7SG6CiqDuxCk3zL85JkGRzUtL7WkrLrwuOZ
d3vahs+E1AsKL6FPFS+D
=8t6U
-----END PGP SIGNATURE-----
We have contacted the user and will report back soon.