Pandora.. security issues?

Logged into my pandora account today, checking on the status of an order. Lo and behold, somehow I'd had my order finalized.. and I wasn't the one to do it.

Interestingly, the "feedback" was a link to a new market. BigShop. I suspect a scam.

The password I use is unique to that site, and I run Tails in a VM and log it out once I'm done.

Can I say, unequivocally, that the order was finalized by someone else? Yes, definitely. I didn't finalize that order, and I definitely didn't leave feedback with a link to "BigShop".

Can I say that the breach was on the Pandora side, or on my desktop? No I can't. But I'm damn sure changing passwords on everything.

<soapbox> Interestingly, in discussing things with Pandora's English speaking support, I discovered that they have no way to actually track an order - rather they can't see the order's history - who modified the order, when it was changed, it's history, etc.

Since I work in IT, and have about 14 years of experience working with Linux, the web and "eCommerce" sites. While I'm by no means a expert, I do find it worrisome just how opaque the order history is from an administrative standpoint is.

If they can't track order manipulation, what else can't they track? withdraws and deposits we already know (at least from a user perspective) give no history.. what about failed logins? Fuzzing and SQL-Injection, session hijacking and other "black hat" activity?

Probably not.

While I realize that Pandora is new, as are most markets, it seems to me that there are some pretty big holes here.

It actually makes me wonder, how important is security to not just Pandora, but other markets? We've seen markets before that burst onto the scene with much promise, only to go tits up months later after someone has successfully gotten in and stolen everyone's BTC.

What about it marketplace developers? How many of you guys out there do rudimentary testing on your code and systems? Are you at least attempting to develop to OWASP (https://www.owasp.org/index.php/Main_Page) standards? Are you embedding passwords to databases in your code? Is your database even password protected? Are you running even simple pen-tests (even packaged metasploit stuff?) against your own code before you roll it into production?

I love the fact that there are many new markets. I really do. But I wonder how many of them will wind up like Sheep.

I'm not judgin', I'm just sayin'

</soapbox>


Comments


[2 Points] doublemintt:

Oohhh killlem.

But on a serious note. You are totally correct. I'd like to see someone take pride in their work. Ya know? Put out the best code you can. Know you are the best and you have the best market. Boom. Winner.

No one has any pride anymore. Just a bunch of scammy bitches.


[3 Points] KnightOTS:

Pandora wont let me and alot of other people from what ive seen on the forums log in, most are right after a person makes a purchase. A new account works just fine but an hour after my purchase i cant log in.


[3 Points] Gabralkhan:

I can't say how I'm happy to see this subject about hacking and DarkMarkets security come on the table.

I don't know about Pandora personnaly, so i won't speculate about it, but for sure it does not seem to be good news.

As a computer security passionate i totally agree with you, a lot of Darkmarkets seems to not understand the real threat of hacking and SQL Injection and totally underestimate their security issues and the flaws that can be exploited.

Ultimately some provisional solutions are adopted by some of them to limit the risks of hack, like the manual review of all withdrawals, but i don't know if it is really a long term solution for a Darkmarket with high activity.

That are some Damn good questions you are asking there.

I really would like these questions to be on every DarkMarkets developer's and owner's mind.

On a side note, i ran the investigation about the SM "hack" and then "Scam" here on Reddit, so i'm perhaps a little bit partial in my point of view. I strongly think the SM hack was true, and even if it was at the end also a scam from the owner, it should have been a big warning to all the DarkMarkets, Security issues should not be underestimated...


[1 Points] None:

[deleted]


[0 Points] shitstormy:

Pandora was opened by staff from project black flag who was the 2nd cut and run scamsite to hit. What did you expect.