shipnik.com...the site works thru tor but requires javascript to be enabled. Are there any security risks?

I don't really understand the security of javascript but I've am advised by my tor browser and many other sources not to globally disable javascript using tor especially in the dark web. Shipnik is really awesome, obviously. I did a test run today on tor and found that everything worked as it should but only with javascript enabled. The site cannot be utilized with javascript disabled.

Anyone familiar with javascript opsec or javascript in general or javascript on the shipnik site please share your thoughts, your precautions, or what ever you have to contribute. Is it safe to enable javascript for the shipnik page only, if not why?


Comments


[2 Points] 2weiners1vagina:

Semi-related: we had been using this site the last two plus weeks to mail out packs as the rest of our Opsec is locked down there really isn't a likelihood of major issues that come to mind.

Anyhow.

They utilize an API from stripe I believe to process btc payments. Well obviously nefarious users aren't (hopefully) signing up for a clearnet wallet account to purchase these and so when one were to merely interject the Stripe wallet payment and send the proper coinage or any for that matter using a private, hopefully secured wallet, the process would still complete itself in the same fashion once the coin hit the address referenced the site would work and prepare a printable version and a downloadable one of the label itself. Wha-laaaa right? Right. But it gets ..... better more interesting. I'm guessing the code written would process the buy and preparation of label upon X. X being the coins in wallet. But then something funny happened..... about 6 or 7 dozen times.

Their service, shipnik would send a receipt of label to email if provided (ours is secured like a motherfucker) and THEN.....FORWARD A SECOND EMAIL WITH A LINK TO YOUR REFUND PAGE FOR THE APPARENT OVERPAYMENT OF BTC. Until today that was rather they have figured out how to properly account for BTC entering wallet gromt anywhere and refund only funds over $5.55 as an example. Do where it email would say 'here's your refund of $5.55 in full (label and pack always arrived safe and sound) it now says "here's your refund if $0.02 of BTC.

The entire time this was happening I kept thinking of good old LE

SOOOOOOO..... Shipnik


[0 Points] Darknet_Retard:

Unless you're doing something decently sized like shipping pounds of mj or whatever have you consistently you should be fine. The problem with JS enabled is that you can have malicious JS executions injected into whatever page you're on and that JS can steal data like cookies and such and potentially record that data and have it sent somewhere and the JS can even control certain aspects of the page.

To some, this is terrifying, but you'll only get injected with malicious JS if a hacker or LE is aware of your presence. You're most likely fine, but then again I'm not a cop and I'm not too familiar with hacking.