NEW ALPHABAY BUG: it is (again) possible to read your private alphabay messages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hello community.

the user /u/Cipher0007 contacted us mods though the mod mail and 
delivered proof that he is able to read private alphabay messages. 
I have verified it by creating two new accounts, sending a message 
between them, providing the user the message ID and he showed me 
the content of it.

you can view his post here

https://www.reddit.com/r/DarkNetMarkets/comments/5pg8tn/highrisk_bugs_regarding_alphabay_marketplace/

the other mods have not chimed in on that issue but for now 
I have done the following:

- make this stickied post

- replaced the alphabay addresses on the superlist with a 
warning about this bug till it is resolved

- flaired and approved the original post by /u/Cipher0007

- changed the color of the stickied announcements to make 
this bug more visible [because I tend to skip the two green 
announcements often when I visit this sub since they are 
usually the same every week]

if you want to verify the bug yourself please create THROWAWAY 
accounts and send messages between them. otherwise everybody 
could get the messages from anyone by simply posting the ID of 
the desired messages without knowing how the exploit the bug.

update #1: the user also stated that he was able to dump the list
of hansa users. at the time of writing he has not delivered proof 
for that but he said that he will look further into that issue.
the post will be updated if more details are available in that case. 

update #2: alphabay response: https://www.reddit.com/r/DarkNetMarkets/comments/5ph0rz/alphabay_statement_on_pms_bug_fixed_now/

update #3: Cipher0007 provided us mods with a hansa vulnerability
that allows everbody to get a list of all hansa username. it has
been reported to hansa and a note has been added to the superlist.

you can verify the signature with my key here
https://www.reddit.com/r/DarkNetMarkets/wiki/pgp#wiki_.2Fu.2Fwombat2combat

this post will be updated in the future.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJYhOWNAAoJEMPzj/CHV15DM2UQAKYnz8LwXhW545tSEMo/1h+W
mhou84AY2a2emzx0e4ZNkNU3egbNRqkoC+naW7HlPGDR/FcX1F0xYtFKuVCDXEXt
1Q9CxVzDTWlzDhSqDwG2X2uIF4OhPRxnoFnT9KN4+GIwPVD3m5NEOiwGQdLMsqco
kO1xNiwHaAyzfVdue+rVKfI8DGNZPCctyelWr2i1orgp/7ugXWKDtfqp3cRo9Rzr
dgzqt++12t4sRULQ3R/nLISkNhzh/WFwPy/5mSM2yPSEqOxOI2gwGNMHsUflIbN1
kdDy3utKGm/k5i/O6tGk1jMcx6UpNJKxnhoDMNJIQI+Y+f6ftl9x3tPTBHWj5BNA
Jh/v0GgUuZ55KbiIA4dCDwBZPdCOToI6BVcnpM+/ci9jmXlKcZppa6eAzUxnEDVI
yBVDfK9ngEBE5+0/wY0f9f8pxWLFYq7UQ35QB90GqMX0vqstZUfC65iqDN7exvYE
SlwVeVB0WU/Tuk9run/CYmHk7nmUFVbkQ6JwIRZXOrb0V254Z59oIhkAgK9o/7s+
lMeGc1KslaXv2rGV3lCvCAJTNkfG5sMX5ts7OKxeY3KN1h4SmnBjX3flvIo2ndQ+
M3DnOBgtLFanBpJIXD2AYiKU0zLPR7SG6CiqDuxCk3zL85JkGRzUtL7WkrLrwuOZ
d3vahs+E1AsKL6FPFS+D
=8t6U
-----END PGP SIGNATURE-----


Comments


[19 Points] alphabaysupport:

We have contacted the user and will report back soon.


[10 Points] None:

Use client side PGP=profit.


[7 Points] None:

I chose a book for reading


[4 Points] alphabaysupport:

Fixed. Full statement here:

https://www.reddit.com/r/DarkNetMarkets/comments/5ph0rz/alphabay_statement_on_pms_bug_fixed_now/


[2 Points] DooshNozzzle:

if we know about this today you can be sure the DEA has known about it for much longer.


[2 Points] None:

In the notes for AB there is a rant about taking to long to ban vendors. I've seen A LOT of posts about Valhalla where there are vendors that threaten to doxx every customer they get. It's been going on for months as far as I know, and the mods haven't touched it. I also think that I read the mods have ''left the ship'' as no disputes are being handled.


[1 Points] DarkMarkThroAway:

Shouldn't it also be listed under Active Warnings on the sidebar? Not trying to be a nitpicker.... just want to make sure everyone is aware.


[1 Points] None:

[deleted]


[1 Points] pinochetHA:

Alphabay is just fucking idiotic. If their professional shills weren't on reddit the whole time trying to convince everyone AB has the biggest dick then maybe, just maybe, they would fix the gaping security holes which will compromise their users. Is it too much to ask that private messages actually be private? Yes everyone should be using gpg but that doesn't excuse shitty operational security from a market whose mod was giving us advice a few weeks ago.

There has been so many issues in the past with really basic opsec fuckup. It's going to happen again. And maybe next time it's going to de-anon more than just messages. Either AB users take this as a very kind and limited warning from AB staff about their inability, or they can cling to their russian Titanic all the way down.


[1 Points] None:

https://www.reddit.com/r/DarkNetMarkets/comments/5ph0rz/alphabay_statement_on_pms_bug_fixed_now/?utm_content=title&utm_medium=front&utm_source=reddit&utm_name=DarkNetMarkets


[1 Points] NearlyBaked:

Does this mean others can see the accounts I bought in my PMs and vise versa?


[1 Points] NotShillJustParanoid:

Yeah, I manually encrypt everything possible, largely because I'm about as afraid of the kind of people that run this market getting my personal info as I am of the police doing so, but enough's enough. Finalized on everything I had outstanding and now I'm done. It's a shame, they're one of the only markets with a sizable canadian presence, but I legitimately can't justify endangering myself to the extent that these kinds of security breaches imply. If one of ours found this, it's safe to assume that LE found it a while ago, and in all likelihood there are a lot more security holes under the hood. Hell, the fact that you can skip the anti-DDOS captcha says about as much about this place's security as is needs to.


[1 Points] absolutefuckingretar:

If you were affected by this, you're fucking stupid. Messaging personal information to vendors is obviously stupid on so many levels. What if they are arrested? What if the website is compromised like this? Could be the police, could be an exploit.

I'll probably still use AlphaBay after this. Even though this is a serious exploit, anyone with sense will have taken precautions to prevent this from doing any damage.


[1 Points] murderhomelesspeople:

Do we know when or if Hansa has fixed their vulnerability?


[1 Points] THClear1:

Since we're on the topic I'm curious
(1) if a customer sends me sensitive info and I delete the thread as a matter of course is this data still recoverable/vulnerable?

(2) More of a comment: If a customer places an order and doesn't PGP the sensitive data I cancel the order, but the cancelled order remains viewable for 30 days. Can this be fixed?


[1 Points] Lucid_Enemy:

It's weird how here you are slamming AB left and right and gradually mention hansa having a huge vulnerability as well towards the bottom of your post.... I didn't see a stickied thread about hansa anywhere just you making a huge scene about AB....Also I think this is the ONLY time you mention anything about hansa in any of your comments since you made this post... Can you finally just admit you have a problem with AB? Seriously I don't like the market that well either (I see it as a necessary evil since more vendors are on there..) but like I don't make it an agenda to slam them.... Nor am I in a power where my words carry more weight then a normal commenter on here... IMO you are

Power hungry as fuck seeing as before you became a mod you barely had a problem with AB

Have an agenda towards AB and want to see it go down so a market that you may have skin in can rise up to power

Corrupt for those 2 reasons.... I don't normally think any of the mods are corrupt (sure I joke about econ being a fed and what not) but I don't actually believe it... But I think/know you are... And I don't like it nor you.... That's just my opinion tho and everyone else can have there own opinion


[1 Points] trouauei2016:

/u/Cipher0007 how much did alphabay pay you?


[0 Points] kaif_veenis:

Hmm.. two people are shadowbanned.


[-1 Points] None:

sure, "bug" lel