Horizon Market: DO NOT USE - bug enables all BTC to be stolen

Hi I'm link and my day job is in software development. I have been a member of this sub for quite a few years but this is my new account solely for disclosing vulnerabilities with the markets.

I wanted to make a post to warn the community about one of the new markets about to be added to the Superlist: Horizon Market.

The main and most damaging bug I found enables the attacker to fill up their market account to any bitcoin amount chosen. They can then just use the normal withdraw feature on the market to withdraw all the bitcoin left in the market's wallets to their chosen bitcoin address. I'm not going to detail the bug anymore than that because the market has still failed to fix it; once they have fixed it, I will make another post detailing the method. This bug took perhaps 1-2 hours to find.

Proof:

I have talked with the mods and I verified it with /u/wombat2combat. I also have a screenshot here. That is 126.016BTC for the 126,016 subscribers (at time of writing) to /r/darknetmarkets

I would like to produce proof to any user interested, but giving bitcoin away that is not mine seems like a bad idea so instead I will only provide a screenshot.

Why did it happen?:

I would put it up to poor programming knowledge. The bug should not have even made it into the software. It should have been identified during the design. Even if someone forgot to point out this obvious fault in the algorithm, it would have been easily caught during testing. I have a formal education in computer science and this is taught very early (age 13-16 in my area).

In my opinion, the overall design of the market, with one central pool of bitcoin then each user only having a number in a database is not the best. (calling out you alphabay/dream). If an attacker hijacks any part of the market's bitcoin deposit/withdrawal system, they can easily take the all bitcoin. If your going with the central escrow style of market, please code it so each user has a separate bitcoin wallet. Then when it gets hacked, they can only withdraw their amount of bitcoin. (unless they are able to move the bitcoin internally within the market)

 

More faults with the market:

The market itself is a mine field of bugs:

tl;dr

Bug on new market 'Horizon' leads to attacker being able to steal all of markets bitcoin reserve. Leading to user/vendor not being able to withdraw.


Comments


[1 Points] wombat2combat:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

link218 on https://www.reddit.com/r/DarkNetMarkets/comments/5rog83/horizon_market_do_not_use_bug_enables_all_btc_to/


'Horizon Market. The main and most damaging bug I found enables the attacker 
to fill up their market account to any bitcoin amount chosen.'


the bug has been verified by me and I shared information with the other mods 
so that they can verify it too.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJYk4ZjAAoJEMPzj/CHV15DdFkQAJRc8C2qvy+MuV3fvOkbHcW1
dDXFMmC1XCaULu+EUyd6dP04k9RU/iF9rXX4a8TPqfYYVwHG6CcfWzEDiTC0jGTR
47TU7cGMuBJ7K5mv/eLsv6eiqxtwUswacbkxrrHZKIyPMq8Vfl1JXAznyQdUtLbW
FAHkNlRB2CeSAQ5NK+2KRygByyAH5JGHLtX8Wyx8bLvldgoLEDzVjth79chAKSMM
jlXW1x1gBBbKANdOfE5aXvJ8Dha8YIOx0oHWpV/S6BsA7mPIJmi1TwU+ELTp+kRW
IWclBviZejUa/4CHfnMS9u+giRKuFwZdjE2R4TPBDqoV3WKL1ExZXPBMsLzgArfE
qlkA4UsPt65o1BB0d44iWP3EXZijOp2voc1pMw8MoaDbUY8Jgu+dt8Ut9MImSA9R
tBLa6SRmnsLI1Q2cKK/cmirCOPzZov2XLkrqQpirImKlwmGv7VLncKiUVQmi5kV7
zYv7czMPlALtza/6Flaaw0NUs1zQbp6hrF9m6XEXG4WGCLyI6I+3oYEOEqMoyKOr
j1+vCRPCyDPj9oT/k7Hzxl12pSLOw+o77nWk5sPnOBLAlzI1Vmt1qFUDWr60iUaw
fprvuvSDexSy7bl+s/VzuZRt6Ub4PgIiK/73EYOP8/uigEQzA5Xp/w9uMYbu2GF9
2JSorKKlEyFxDs8X5f9J
=Vrli
-----END PGP SIGNATURE-----


[22 Points] kathoragen:

Send thoes bitcoins out to me and see if it will let you.


[6 Points] -thuggy:

will they get the same treatment as AB and get removed from the superlist?


[8 Points] weedandsyrup:

Tell me how to get that coin bro, rent is due Monday.


[3 Points] murderhomelesspeople:

Can we all agree that u/geekbuddy should not be allowed to run a dark net market and that Horizon marketplace should not be added. It's been fishy from the beginning and now we have this.


[1 Points] AutoModerator:

/u/wombat2combat - You have been summoned in the thread /r/DarkNetMarkets/comments/5rog83/horizon_market_do_not_use_bug_enables_all_btc_to/ by /u/link218.

This convenience is brought to you by AutoMod. Submissions do not automatically summon users like comments do. AutoMod is trying to be helpful.

For others, it should no longer be necessary to summon the referenced user in a comment any more. AutoMod has done the heavy lifting for you. You're welcome. Bow before me.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.


[1 Points] None:

[deleted]


[1 Points] None:

Thank you


[1 Points] GodFatherDNM:

Glad i use alphabay!


[0 Points] DJrAdOx:

can you explain how you found the bugs? Not the detailed bugtrace, only the methods / which tools you took. Or did you just inspect the code, or the traffic? If you have the sourcecode or the server side files it it easy to bughunt, but I think you don't have root access to the server?


[-4 Points] Pig743:

Inspect element does not prove anything.

Bad netsec guys, this is most likely fake