Empire Market. LOL.

Just making sure the people here stay safe.

For anyone who read the news of this new market. Such incompetence.

In less than 15 minutes after registering to this market I was able to easily get access to their full database of profiles, as well as some leaked system configuration (Server engine, its version and Operating system).

Basic error handling issues:

https://cdn1.imggmi.com/uploads/2018/2/4/80239348b6b59d46ac7a357aacf4c648-full.png

Configuration leak:

https://cdn1.imggmi.com/uploads/2018/2/4/2bd03c252aea00ff063db18518d7d219-full.png

There is no CSRF protection for forms related to funds withdrawal. This is a crucial security flaw.

To add an insult to injury, I managed to get access to all conversations sent between users.

Even tho there are barely any, but still this is a crazy security breach.

Here's the list of their current users as I grabbed.

Sydney

Administrator

Admin

DeSnake

Moderator

alpha02

DreadPirateRoberts

johndoe

NiggaIm300

Lorenzo

fixer

reqwa

alphabay

martin

elf

EmpireMarket

empire

Zeus

test121

DeepMeds

Billz226

penissmith

penisschmidt

FuckYourPlug

Moderation

T666

EmpireSupport

CustomerSupport

swisscheesecaveman

theturtleinasuit

TechnicalAdmin

fives

cookie

administrator

killuminati23

userunknown99

killphisher666

killuminati

PandaPro

onlooker

beta02a

Bitch

timtimtim

tesla450

midroach

fruitrockz

Drago

engineer

Uljanov0905

vladistar

DrunkDragon

fuckyou

kivley

BobTheDog

dadsadsa

rail

Bud

plasticSHOCKSm

thecat

supercanuck

CanadianConnect

Green

Spritex

mihilyf

onlooker

plaguedoctor

tripking

KingCookieMonster

In short, these guys are noobs when it comes to DN stuff. I'm sure if I spent more time I'd find much more vulnerabilities.

If you want to put your life in jeopardy, this would be a good place to start.


Comments


[61 Points] ForLol_Serious:

I bet you can't steal all their monies


[21 Points] ChewySpell:

Running Apache via CentOS and only one host link. Jesus fuck, who created this site? A 12 year old?


[22 Points] bridgedparsec:

Proof of your access to user messages? Pics or it didn't happen, grabbing usernames when they're IN ORDER in the URL is no "hack"...


[19 Points] EmpireMarket:

First off, most things in this post ARE COMPLETELY WRONG. There was no "hack". We are definitely not using Apache. Furthermore, your server configuration leak is also incorrect.

Yes you got the list of users simply from the URL. They are in sequence so you can just plug numbers in to get to the next user.

There is also CSRF protection. Each form has a token to prevent attacks.

To sum up, simply grabbing the usernames from the URL isn't a hack. There is also no server configuration leaks. We have good security. Keep pen testing. I love it. Please PM us anything else you find here so we can check on it.


[14 Points] fuckyourplugdnm:

Hey I made the list!

Glad I didn't use any real info on there just messed around for a few seconds


[11 Points] Raverdewd2018:

alpha02 DreadPirateRoberts

Looks like the US government lied!! Cazes didn't kill himself and Ross is not in prison.


[7 Points] moneystaxxx:

they even have a facebook page


[6 Points] dnm_vet_newacct:

Someone should find a way to seek their IP leak and track their server address, then RAID their IRL shit.

Must be middleschool kids that think they are the shit and slowly learning code but in all the wrong ways


[5 Points] TripKing153:

Fuck me I shouldn't have even registered my name is in the list. I always register at new markets never again though thanks OP. By my name being on the list do you thing this poses an OPSEC risk for me???


[4 Points] BelizeTourismOffice:

DreadPirateRoberts

Why am I on there? I don't even know about Empire Market.


[3 Points] TreyWait:

Cut and paste coding=disaster


[2 Points] billybob124687:

Why is my name not there? Incomplete list?


[2 Points] gruzev:

Never read such bullshit. If your intention is to make people laugh about you. Congrats you made it !!

Just because you set the header to Apache (Cent OS) doesnt mean you are actually using an apache server. Its definitely not an apache server. I've scanned this site before and they set it to "Apache Helicopter" like 3-4 weeks ago, LOL. Well I cant say how much you've blamed yourself. Wondering how you can still live with yourself.

What you did is literally possible with every market and is not related to any "hack" or "leak" or whatever you would like to call it. Nobody cares if you know the username of those people. Most of them are registered on forum either. So its not a big deal actually.

Also those 2 images you've posted don't say anything. A simple typo like that is not a "bug" and by the way thanks for those images. You were stupid enough not to purge your metadata from those images. I now know where you are and have lots of information about your system. If i want i could damage your system once you log back in to the internet. This proves you are like a 10 year old kiddy trying to get attention because you've just learned how to use programs similar to nikto/uniscan etc. This whole post just makes you look stupid as fuck LOL.

Next time better leave it and don't screw yourself up that badly. Not more than a joke lol.


[1 Points] plague666doctor:

Hey sweet im on there (:


[1 Points] RecentBoard:

Admin said he fixed it: latest regisrted users:

jayman34, JustTesting, franktank, Tmd18625, memebigboi, whitevanman,

Liar liar liar liar

LOL good market!!!


[1 Points] ForLOLSerious:

Drago

Doh! You got me.


[1 Points] Dojadoja13672:

Lol


[1 Points] artfu1:

"if you want to put your life in jeopardy?

the fuk is that about? lol


[1 Points] spergnmerbles:

Can’t there just be a well oiled, non ddosed monero centric market far away from LE and hackers and shit talking weebs, where everyone doesn’t get stabbed in the back and mods are responsive and packages are shipped the day you order them.

Imagine that.


[1 Points] OdysseyAdmin:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

My market got hacked and even I did not do the stupid mistakes that this Empire market did lol
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEtNbjJUfTGfouYjmmduHJQwRd05IFAlp3c+MACgkQduHJQwRd
05LLxwf/Wrlzb8EYjXtDMqVOaMeEq/J5RZbydGP6GfKg8sWUVszA+i8FrB4SObRO
FOkJgoYXLKPpLUpB+igGPLhuwAGJ2Kzt9aiBxcJUZmp3KRURanU35Lz2O83c9HTN
q+i7EEuOBduzl/51sZyQA+Bp7Vzi7R6X5xQOkTWh1smSEq+egEy4IfhxARh0Ax1/
0sZgBKr6vG116lAMRC0kYfEPGy5iD7Ah7PJEQLBt2BFKHsDoVeHWc287aqqONUAp
1eyEMzkkrgnibFJHi2ty9f1m9eSgfxdWveimR9tpZmt9jX7aqDu6Kd1GVmnTEqAW
uVjuk0Wm+XSZz2UXoltsLSrdZFMmfA==
=ky2I
-----END PGP SIGNATURE-----


[1 Points] SteadySupplies:

https://cdn1.imggmi.com/uploads/2018/2/4/80239348b6b59d46ac7a357aacf4c648-full.png

This is what you get when you change your password to something long with special characters.

Possibility of SQL injection?


[-1 Points] EmpireMarket:

This issue has been fixed. You can no longer get the list of users from the URL.