Logged into my pandora account today, checking on the status of an order. Lo and behold, somehow I'd had my order finalized.. and I wasn't the one to do it.
Interestingly, the "feedback" was a link to a new market. BigShop. I suspect a scam.
The password I use is unique to that site, and I run Tails in a VM and log it out once I'm done.
Can I say, unequivocally, that the order was finalized by someone else? Yes, definitely. I didn't finalize that order, and I definitely didn't leave feedback with a link to "BigShop".
Can I say that the breach was on the Pandora side, or on my desktop? No I can't. But I'm damn sure changing passwords on everything.
<soapbox> Interestingly, in discussing things with Pandora's English speaking support, I discovered that they have no way to actually track an order - rather they can't see the order's history - who modified the order, when it was changed, it's history, etc.
Since I work in IT, and have about 14 years of experience working with Linux, the web and "eCommerce" sites. While I'm by no means a expert, I do find it worrisome just how opaque the order history is from an administrative standpoint is.
If they can't track order manipulation, what else can't they track? withdraws and deposits we already know (at least from a user perspective) give no history.. what about failed logins? Fuzzing and SQL-Injection, session hijacking and other "black hat" activity?
Probably not.
While I realize that Pandora is new, as are most markets, it seems to me that there are some pretty big holes here.
It actually makes me wonder, how important is security to not just Pandora, but other markets? We've seen markets before that burst onto the scene with much promise, only to go tits up months later after someone has successfully gotten in and stolen everyone's BTC.
What about it marketplace developers? How many of you guys out there do rudimentary testing on your code and systems? Are you at least attempting to develop to OWASP (https://www.owasp.org/index.php/Main_Page) standards? Are you embedding passwords to databases in your code? Is your database even password protected? Are you running even simple pen-tests (even packaged metasploit stuff?) against your own code before you roll it into production?
I love the fact that there are many new markets. I really do. But I wonder how many of them will wind up like Sheep.
I'm not judgin', I'm just sayin'
</soapbox>
Oohhh killlem.
But on a serious note. You are totally correct. I'd like to see someone take pride in their work. Ya know? Put out the best code you can. Know you are the best and you have the best market. Boom. Winner.
No one has any pride anymore. Just a bunch of scammy bitches.