Warning: DrugsList is extremely insecure.

DISCLAIMER: I have no affiliation with any marketplace. My interest is only seeing a more secure and trustworthy underground drug market. I have reported numerous issues to other drug markets and have had them successfully fixed. I have never accepted payment from any drug market for security services. I am only an interested observer and occasional customer.

The Drugslist website makes numerous simple security errors in its implementation, and is completely unfit as an underground drug marketplace storing bitcoin wallets.

Error 1: The PGP error

As drug market users you have likely noticed that it is always reinforced that you should use PGP for all private message. A lot of users struggle with PGP since you have to download an application, learn public key cryptography, learn how to sign/encrypt and manage keys etc. There is a reason why it is complicated, because ease of use and security are a direct tradeoff. Were PGP to be simple, it likely wouldn't be effective.

This is why you have never seen a serious drug marketplace that attempts to implement PGP on the web, or inside a browser - because it is insecure. You can only guarantee the security of PGP and your messages if you use a desktop app.

I noticed yesterday that drugslist was making a huge error and had implemented PGP in a web browser as part of the their drugs marketplace. This is a huge red flag, because not only is it not secure, but it also teaches users that pasting private keys into a web form is ok, when it is far from. Security conscious people spend a lot of time reiterating into people basic security practices and when Drugslist does something like implement PGP in a browser and ask users to paste a private key into a web form, they undo a lot of that security advocacy performed by others.

I'm going to try and explain in the simplest terms of why PGP in the browser is a bad idea, because I explain what Drugslist did:

When you install PGP normally on the desktop - you go to a trusted site and download the package, and almost all PGP tutorials will, as a second step, show you how you can verify that the package you downloaded is the same one the developers signed off on - to guarantee that it either hasn't been backdoored or manipulated on the server, or that it hasn't been backdoored or manipulated in transit to your computer. You only have to do this once, when you install the application. From then on your can use the PGP app a thousand times and be confident that it hasn't been backdoored (there are ways around this, such as a trojan on your system, but it won't be backdoored by the developer).

This is an essential part of establishing the trust relationship between developer and user, you can guarantee that it hasn't been compromised using cryptography (Bitcoin also does this, as does Tor).

When you use PGP in a browser, your browser downloads a new copy of PGP every time you use it, and has no way of checking the signature. Worse, it doesn't even check if is downloading it from the correct server. That means someone could easily insert a backdoor into it, or weaken it, and you would never notice. It doesn't matter how much you check the code the first time you use it, you can't guarantee that it would be the same every subsequent time.

This isn't a hypothetical attack, there are at least two known cases where the US Government has taken advantage of web-based cryptography to read 'encrypted' messages for users: Hushmail and Lavabit. In the Hushmail case users had no idea that Hushmail had changed the code to give the government access. In the Lavabit case, because they were using web based crypto they were also vulnerable to a subpoena, which they ended up receiving when Snowden became a user. This is why web-based crypto is bad, because it can't be protected or guaranteed.

Drugslist present their web-based PGP alternative as a direct replacement for desktop PGP, which is not the case. Web based PGP is never secure.

They place a link to it right above the box where you send private messages:

Don't know PGP? Check out our client-side PGP encryption tool. No data transferred and everything stays on your device!

All throughout the site, in the FAQ, there on the private message box, it mentions the web-based PGP implementation as an alternative to desktop based PGP, which it certainly is not.

Now this part I can't stress enough: to a security professional, this is a very simple mistake - it is something that even a security professional with only hours of experience would know is a red flag. This is like a mechanic pointing out that the tyre in your car is wobbly and about to fall off.

I noticed that Drugslist have this feature yesterday in their thread about their API. I knew very very little about Drugslist at this time, I had signed up a week earlier and then forgotten about it - not even looking at what vendors are there, etc.

Here is the thread announcing the API:

http://www.reddit.com/r/DarkNetMarkets/comments/1w2rq9/drugslist_launching_optional_new_full_api/

I got to this second paragraph and immediately stopped reading:

Our site now offers, a fully featured API escrow, auto withdraw for vendors, 1% commission payments on any money spent by anyone whom you refer, a fully integrated forum and email system, client side pgp encryption and decryption as well as a very active customer support and development team.

I immediately had to see this for myself - surely they don't mean PGP in the browser, that would be lunacy. I open the site, find the feature - and sure enough they have implemented PGP in a browser using Javascript and are asking users to paste their private keys and secret messages into a web form. This is absolutely unacceptable, especially by a marketplace claiming to be security conscious.

Without reading the thread further, I then write this comment telling Drugslist that they need to change and remove the client-side PGP feature. Drugslist replied quickly, and they partly gave an indication that they understood the issue, but they mainly chose to ignore what I reported.

edit to add, while we were having this conversation despite denying it was a problem every time I went back and checked Drugs List they were adding warnings to the PGP tool that demonstrated they didn't understand the issue. I would check their page and the wording would change to include a warning, I would go back, leave a comment with a counter-point, check their page again and the warning would be updated again based on the comment I left. This shows that they weren't understanding the issue.

What proves it further is the message they have on the PGP page now:

http://drugslisvdknitqd.onion/pgp/index.html

This is in big red writing at the top, and was added after I raised the issue:

While our Javascript PGP implementation is secure, and can be verified by looking at the source code, understand that other websites claiming to have client-side Javascript PGP could be insecure. Be cautious of any site offering client-side PGP. You should always search through the source code looking for Javascript includes, XHR requests and HTML5 outbound data calls.

Note two things here: they are still misunderstanding the issue - there is no way to implement this securely, besides their reassurance. Also note that this is a feature that is supposed to be built for users who find desktop PGP complicated, yet it is asking them to conduct a thorough audit of the PGP code prior to using the tool each time. This is completely unrealistic.

Back on the comment thread, there was also a completely surreal situation where i'm left spending a dozen comments explaining to DrugsList what the actual problem is, since it is clear they don't understand what i'm actually reporting - in the meantime they continue to deny that there is a problem.

I had no idea at the time that this would lead to an hours-long conversation where drugslist would repeatably deny the existence of numerous security issues despite the clear evidence to the contrary.

I went back up to that original post and kept reading about the API. Two lines later and we have another security issue:

2. API Security Issues

I'll keep this brief. The problems with the API are:

  1. It asks you to place your marketplace password in the URL of the API. This is a big no-no, since many applications log URLs in plain text. A URL is 'non sensitive' data and all applications treat it that way, you should not be placing passwords into the URL
  2. The password used in the API is the same as that used in the API, so if your API somehow leaks, the person finding the password can login as you. This is poor design.
  3. The API client makes no effort to authenticate the server, and vice-versa. This means it would be incredibly simple to intercept the data passing between the API client and the API server. Running over Tor only makes it easier, since a lot of Tor configs have misconfigured DNS.

The drugslist response to these concerns is that they 'expect' API clients to know these problems and to use them securely.

I had now discovered a number of basic security issues in reading only two paragraphs of text from Drugslist, and in all these cases the Drugslist user had responded quickly, completely denying any issue or any problem - and dismissing the concern. This was becoming a pattern and it prompted me to look at the history of this user and this drug marketplace, it didn't take me long to find more hits.

Error 3: SQL Injection

I only had to scroll down 3 or 4 previous thread before finding this thread - where a user of reddit (edit: it was /u/magnus0 - and no matter what you think of how he approached it, he was reporting a bad vulnerability to the site owner rather than exploiting it himself) had reported an SQL Injection vulnerability to DrugsList.

Set aside for a moment what you may believe about how the person reporting that bug behaved or conducted themselves, because this is a very serious issue.

I could not believe what I was seeing as I scrolled through the screenshots attached. I haven't seen this type of elementary SQL Injection bug for years. This stuff used to work 10 years ago, but you rarely see it any more as most programmers and websites have wisened up to the simplest of SQL Injection bugs.

Make no mistake about this: what is being demonstrated in that bug is the ability to take control of the application and run whatever commands you wish on the database. This means you can take passwords, steal bitcoin, insert your own vendor account etc.

This is the exact same type of bug that cause both Sheep and BMR to be hacked, instead this bug was much, much simpler than either of those

This SQL Injection bug lead to what was now becoming a regular situation - the drugslist user coming in, denying that there was an error, and claiming that the user who found an SQL Injection had only found a 'small bug' and couldn't 'do anything'. He was daring the next attacker to delete/hack his entire site as a way of proving that a bug exists.

This lead to a completely surreal comment thread, the kind I have never really had before, where we have the admin of the drug market along with a mod from the sub trying to convince people that this wasn't a real bug - using terms that are taken from information security, but using them in such a way that makes it clear to anybody who knows the field that these guys have no idea of what they are talking about.

The sheer simplicity of the SQL Injection attack lead me to open up a browser and to go to Drugs Marketplace and to check for myself to see if I could find any other bugs (having a single simple bug on the main page usually means there are more).

Error 4: Multiple SQL Injection Points

Within 3 minutes of checking their app it was clear that both their search page and their product page are not filtering user input and allow a user to tamper with SQL queries in any way they want.

I private message Drugslist and tell him that he needs to take his site down and come clean about the security issues. I've never seen a site like this. A potential hacker with no knowledge of info sec would only require 10-12 hours of learning to take complete advantage of stealing everything from Drugs List.

Error 5: Server Leaking Info

After discovering the two bugs I come to the conclusion that there is no point in testing this further, since every parameter I test is vulnerable.

I look down at my logs and I can't believe what i'm seeing - the server is leaking critical information about itself that would make it simple for a dedicated adversary to trace down not only the location of the server, but the people running it.

This is worse than Silk Road in the early days, where similar output lead the authorities to the location of the Silk Road server.

Error 6: Consolidating everything in one market

The other problem with Drugs List is that in an effort to be convenient they consolidate everything into one website and behind one URL: market, wallets, email, forum and even PGP

Were the market hacked or taken over by LE, they would get everything - your emails, your messages, your PGP (via the web tool). This is why each vendor and buyer should host each of these separately - email should be with one host, wallet with another, marketplace on another, PGP on your desktop - this rule is the same as the 'diversify your holdings' rule in the finance world, you don't want a single point of vulnerability.

There is also a reason why other markets host their forums and their marketplaces on separate URLs, its so that you isolate them from each other. The threat model to a forum is very different to the threat model for a bitcoin drug marketplace - you don't want a bug in the forum leading to a complete compromise of your bitcoin drug marketplace.

Over-marketing and under-delivering

If you look at Drugs Lists claims, they keep reiterating security and how they have hired 'PHD's in math' and 'security experts'. There is no chance this is true. Drugs List has almost certainly been put together by a single person with a minor understanding of technology and almost no understanding of security who outsourced the work of programming the marketplace. It is likely that he has hired cheap offshore labour to build this site using a service like oDesk or Elance. I don't believe his programmers know that what they are building is being used as a drug marketplace.

When I search some of these marketplaces for 'bitcoin escrow marketplace' I get a number of hits for people attempting to hire cheap labour to build such a marketplace. Some of these sound a lot like Drugs List, and that would also match up with how the site has been implemented. This is exactly how SR1 was taken down and I have more than enough information to conclude that were a sufficiently motivated adversary interested in taking down Drugs List, they would likely do so in very short order.

It doesn't matter if you believe that I am out to "get" drugs list or not, there is a pattern in his communication where numerous people have reported security or other concerns to them and they are dismissed. So either all these people reporting concerns are crazy (which would include me, two other techs on the SQL injection thread, /u/TMPSchultz and /u/gwern on the multi-sig thread), or drugs list is negligent with user data and are in way over their heads with operating a secretive bitcoin based underground drug market.

Of the 3 issues I reported to them, his replies indicated that he didn't even understand 2 of them. It took me numerous messages to explain what was wrong with doing web-based PGP, despite their first response indicated that they understood the issue and thought it was ok.

There is a pattern here in how features are over-marketed and then under delivered and sheer negligence with security reports. The question vendors and buyers have to ask themselves is do they really trust their identity and money with someone who is not only incompetent in building a website but in utter denial about there being a problem.

IF YOU ARE A VENDOR OR BUYER: Don't trust me - please, find someone you know who is a programmer or a tech and ask them to take a look at these two threads:

  1. This one where I report the PGP error, which becomes very weird at the end
  2. This thread, where a user reports a simple SQL injection

That is the lest amount of due diligence you should do before using a drug marketplace, especially as a vendor. You will find that even those with a cursory knowledge of programming or info security will find those threads worrying to the point of being amusing.


Comments


[24 Points] cliff-hanger:

So uhhh.. Anyone interested in going halfsies on an SQL injection?


[15 Points] appl3blim:

I think that it's been very clearly established that DL has fuck-all in terms of security.

The implication that /u/Gabralkhan has a conflict of interest with this DNM raises many questions as to the integrity of this sub. I kindly request that the admins of this sub look into this.


[11 Points] None:

Lol moar popcorn please


[9 Points] wannabejourno:

Seriously, this thread really droves home the message that having a laugh at these subreddits can lead to a sobering reality. Even though I don't use any of these sites, and make fun of them at times...being able to find the name of the person running the site via job postings within a few minutes is very, very concerning.

Whatever you may or may not have posted or entered in to this site is probably already archived. However - if you are reading this post you have the ability to not do anything else to risk your freedom by trusting other people with your security.

Maybe I don't sound like a neutral but amused bystander, but I am. And these revelations are the worst security flaws I've seen posted about any of these sites so far.


[10 Points] None:

[deleted]


[7 Points] Gomba1:

Not taking any side since i am not an expert with those technicalities. but this one made me LOL hard:

cheap offshore labour to build this site using a service like oDesk or Elance


[8 Points] PeterSutcliffe:

Motherfucker, I just found it and thought it looked pretty good.

Sheeeiiit. Why can't there be any good markets? First SR went down, I moved on to sheep, the admin went AWOL with the cash. Then BMR shut down. Atleast I haven't lost any money somehow.


[5 Points] DNM_Throwaway:

A'Brewing up a shitstorm.


[6 Points] Oracle_DNM:

Alright, I’m going to try to shed a little light on some things that should hopefully give you all a collective sigh of relief, put to rest some theories, and reveal my intentions. While doing so, I have to walk a fine line between personal OPSEC, maintaining the anonymity & privacy of others, and sticking to a commitment to respect that “behind the scenes shit” that sometimes has to be done.

It’s been about four days since the discovery if an SQL injection in Drugslist. It’s been about two/three weeks since DPR2 has been heard from. It’s been almost three months since SR1 was shutdown and DPR1 was arrested It’s been about two and a half months since the new SR “setup” came into being and new markets started popping up.

I first publicly popped into the picture when these forums first went up, but my association goes back to way before that. I can’t get into details, but I’ve never been a mod/admin/developer/vendor/buyer on either Drugslist,Tormarket,Sheep or SR1 / 2 This sub reddit, but I have been privy to quite a bit of the inner workings of All of them. I’ve seen a lot of cool shit happen, a lot of sad shit happen, and I’ve always had the community’s interests at heart. I have 0 financial stake in All these Darknetmarkets, but I do think Darknetmarket is perhaps one of the coolest fucking concepts of our life time.

This week you’ve seen a few “sleepers” get promoted as moderators. You’ve seen a sleeper admin take over entire control of the forums and site of Drugslist.

This can’t be stressed enough, the sleepers (mods and admin(s)) have absolutely 0 connection to The Mod Team Of Darknetmarkets Sub.

Long Story Short:

Gabralkhan = Drugslist = StExo = DPR2 = Defcon........ Who is actually The Forbidden Love Fruit of TMPschultz And Tomas Jirikovsky - The_Avid!!


[3 Points] None:

[deleted]


[4 Points] wannabejourno:

OK, I'll go ahead and do it.

The person running this operation's name is EXTREMELY obvious if you Google the job postings made for a multi-sig escrow market. It's why there is a shitstrom coming, not a shitstorm.

This place isn't safe, and it won't be. I don't care who is working for who - SQL injections are how major hacks take place. It's extremely clear that the GK guy is the same guy who runs Drugslist, who is the same game who is the "developer" - it's pathetically obvious.

Stuart....close down you site for the sake of people not going to jail.


[3 Points] synikal12:

After reading this entire thread it's pretty flabbergasting how utterly stupid and naive /u/drugslist is. I was looking forward to browsing and using DL, but I will no longer nor will I ever be returning to that shithole.


[1 Points] HackAway12:

Why wont you just hack the site, take out hes DB and show some proof like DPR did with tormarket, or perform any other kind of hacking into the site and show proof for its vulnerabilities?

Server is leaking data? show us.

SQL injection in search / products or whatever? just deface the site or take the admin and place a link in the homepage.

This could end this long thread really quick.

Not that it looks so good on DL side, but this argument is stupid - one side saying that the vulns are severe, one side saying its not - one of you should provide some proof and put us all out of our misery.

Until now its just a lot of talking from both sides while the site still functions as always with no damage whatsoever, and no BTC were stolen and the only thing that actually happened is few unapproved users.


[1 Points] secinnosec:

One thing this shows without a doubt is that 'the_avid' has zero fuckin life outside reddit.


[0 Points] Oracle_DNM:

Hello I Am the Oracle, in 2 minutes i will make a statement that will reveal the truth behind all, prepare yourself


[-2 Points] drugslist:

the_avid,

We've been over this issues yesterday and addressed each one of your concerns. So, let's go again:

*** #1 PGP **

Everyone understands that PGP inside a web browser leaves opportunities open for people putting in Javascript code. We enforce this idea many times and warn users about Javascript in their browser period.

I understand that everyone in the security community has the opinion that "the sky is falling" -- but when was the last time you went through every line in your local PGP client? Have you really put your nose to the grindstone looking at GnuPG, OpenPGP or GPGTools?

The only thing we can guarantee is that we've been through every line of our OpenPGP.js PGP implementation and it's clean. We provide a SHA1 sum on the FAQ of the file, have caching on the server for the file, and warn users EVERY TME THEY LOAD THAT PAGE about JAVASCRIPT AND YOUR WEB BROWSER.

The bottom line is you can only trust yourself and your own judgement when using PGP. We display messages to users who don't have PGP public keys in their profile, asking them to use PGP whenever about to send a message.

It's not perfect, but it's better than having buyer information in two location: the marketplace and the vendor's desk.

*#2 API *

Like we've told you before, we're using JSON-RPC and because Tor encapsulates your traffic end-to-end, there is no leakage. We've been over this. If this were clearnet, there's no way we would have done that. Any developer who configures Tor, can securely use our API or any JSON-RPC API. It is secure.

We are going to offer API pub & private keys today as alternative to using your username & password in the API. But regardless, you could try to say that same thing: OMG THE URL HAS API KEYS. This is JSON-RPC. It is secure over Tor. Deal with it.

**#3-4 SQL INJECTION*

We screwed up and one piece of data was not being properly handled on our registration form. Nothing else on our site works like that and everything was tripled checked again by our team yesterday.

People have been hacking and DDoS using since day 1 and we're still standing. if our site was so insecure, we would have been hacked just to prove that we're idiots. We're not idiots. We had a developer made a single mistake and it's been corrected. We're sorry -- mea culpa. But, there's been no harm and NOTHING happened.

*** Server leaking info ****

Come on. Disinformation is the best kind of information.

*** Consolidating ***

Every marketplace has messaging. Every marketplace has forums. We isolate them by having different servers for each with one onion address routing the traffic. We have two-factor auth for withdrawals and a custom welcome message displayed upon logging in.

Again, we are not requiring our uses to our client-side PGP. We are not generating PGP keys for anyone. Our PGP system is better than sending the buyer's delivery information in plaintext.

Overmarketing*

You are giving us so much shit because we had a developer make one mistake with our registration forum. Our site isn't built on child rent-a-coder.com labor. We are a bunch of smart people completing graduate programs and we made one mistake that you pointed out.

Our site looks COMPLETELY different than others. We built ours from scratch and we've had a couple bugs in the beginning. It's solid, secure and you are only hurting our reputation.

We're building a better marketplace and adding new tools everyday. We're trying to make it simple for buyers while giving vendors the confidence that they all always get paid.

In conclusion

We will posting the results, to reddit, of a third party penetration test on our site by Thursday to put your ridiculous claims to bed. Obviously people having hidden agendas and we're happy to post every non-sensitive part of our penetration test.

To the avid: please stop sending us threatening messages and post whatever it is you want-- we are not hiding anything and will not be threatened by you. We understand that you have ulterior motives and we know that you have to do your job for TMP , but we find this unacceptable how you are trying to damage us. Clearly you're concerned that we are taking up some of TMP's marketspace, but you will have nothing to say once our Pentest results are published. Thank you and have a fantastic rest of your weekend.

Also edited to say: Gabralkhan is not working for us,and it is an insult to him and his integrity to suggest otherwise.


[-3 Points] drugslist:

We have always been polite and respectful and will not allow mangus aka tmp aka the avid to drag us down to his level.

For all interested, we will be posting the results of a 3rd party pentest by Thursday of next week. The results will speak for themselves and we look foward to showing everyone.

We are no longer going to be responding to TMP/Mangus/Avid. We didn't pay him enough and he is upset about it. Any true hackers know that this is not the way a respectable person goes about their business.

We appreciate everyone who has contributed to our threads and we will continue to do what we are doing.