DISCLAIMER: I have no affiliation with any marketplace. My interest is only seeing a more secure and trustworthy underground drug market. I have reported numerous issues to other drug markets and have had them successfully fixed. I have never accepted payment from any drug market for security services. I am only an interested observer and occasional customer.
The Drugslist website makes numerous simple security errors in its implementation, and is completely unfit as an underground drug marketplace storing bitcoin wallets.
Error 1: The PGP error
As drug market users you have likely noticed that it is always reinforced that you should use PGP for all private message. A lot of users struggle with PGP since you have to download an application, learn public key cryptography, learn how to sign/encrypt and manage keys etc. There is a reason why it is complicated, because ease of use and security are a direct tradeoff. Were PGP to be simple, it likely wouldn't be effective.
This is why you have never seen a serious drug marketplace that attempts to implement PGP on the web, or inside a browser - because it is insecure. You can only guarantee the security of PGP and your messages if you use a desktop app.
I noticed yesterday that drugslist was making a huge error and had implemented PGP in a web browser as part of the their drugs marketplace. This is a huge red flag, because not only is it not secure, but it also teaches users that pasting private keys into a web form is ok, when it is far from. Security conscious people spend a lot of time reiterating into people basic security practices and when Drugslist does something like implement PGP in a browser and ask users to paste a private key into a web form, they undo a lot of that security advocacy performed by others.
I'm going to try and explain in the simplest terms of why PGP in the browser is a bad idea, because I explain what Drugslist did:
When you install PGP normally on the desktop - you go to a trusted site and download the package, and almost all PGP tutorials will, as a second step, show you how you can verify that the package you downloaded is the same one the developers signed off on - to guarantee that it either hasn't been backdoored or manipulated on the server, or that it hasn't been backdoored or manipulated in transit to your computer. You only have to do this once, when you install the application. From then on your can use the PGP app a thousand times and be confident that it hasn't been backdoored (there are ways around this, such as a trojan on your system, but it won't be backdoored by the developer).
This is an essential part of establishing the trust relationship between developer and user, you can guarantee that it hasn't been compromised using cryptography (Bitcoin also does this, as does Tor).
When you use PGP in a browser, your browser downloads a new copy of PGP every time you use it, and has no way of checking the signature. Worse, it doesn't even check if is downloading it from the correct server. That means someone could easily insert a backdoor into it, or weaken it, and you would never notice. It doesn't matter how much you check the code the first time you use it, you can't guarantee that it would be the same every subsequent time.
This isn't a hypothetical attack, there are at least two known cases where the US Government has taken advantage of web-based cryptography to read 'encrypted' messages for users: Hushmail and Lavabit. In the Hushmail case users had no idea that Hushmail had changed the code to give the government access. In the Lavabit case, because they were using web based crypto they were also vulnerable to a subpoena, which they ended up receiving when Snowden became a user. This is why web-based crypto is bad, because it can't be protected or guaranteed.
Drugslist present their web-based PGP alternative as a direct replacement for desktop PGP, which is not the case. Web based PGP is never secure.
They place a link to it right above the box where you send private messages:
Don't know PGP? Check out our client-side PGP encryption tool. No data transferred and everything stays on your device!
All throughout the site, in the FAQ, there on the private message box, it mentions the web-based PGP implementation as an alternative to desktop based PGP, which it certainly is not.
Now this part I can't stress enough: to a security professional, this is a very simple mistake - it is something that even a security professional with only hours of experience would know is a red flag. This is like a mechanic pointing out that the tyre in your car is wobbly and about to fall off.
I noticed that Drugslist have this feature yesterday in their thread about their API. I knew very very little about Drugslist at this time, I had signed up a week earlier and then forgotten about it - not even looking at what vendors are there, etc.
Here is the thread announcing the API:
http://www.reddit.com/r/DarkNetMarkets/comments/1w2rq9/drugslist_launching_optional_new_full_api/
I got to this second paragraph and immediately stopped reading:
Our site now offers, a fully featured API escrow, auto withdraw for vendors, 1% commission payments on any money spent by anyone whom you refer, a fully integrated forum and email system, client side pgp encryption and decryption as well as a very active customer support and development team.
I immediately had to see this for myself - surely they don't mean PGP in the browser, that would be lunacy. I open the site, find the feature - and sure enough they have implemented PGP in a browser using Javascript and are asking users to paste their private keys and secret messages into a web form. This is absolutely unacceptable, especially by a marketplace claiming to be security conscious.
Without reading the thread further, I then write this comment telling Drugslist that they need to change and remove the client-side PGP feature. Drugslist replied quickly, and they partly gave an indication that they understood the issue, but they mainly chose to ignore what I reported.
edit to add, while we were having this conversation despite denying it was a problem every time I went back and checked Drugs List they were adding warnings to the PGP tool that demonstrated they didn't understand the issue. I would check their page and the wording would change to include a warning, I would go back, leave a comment with a counter-point, check their page again and the warning would be updated again based on the comment I left. This shows that they weren't understanding the issue.
What proves it further is the message they have on the PGP page now:
http://drugslisvdknitqd.onion/pgp/index.html
This is in big red writing at the top, and was added after I raised the issue:
While our Javascript PGP implementation is secure, and can be verified by looking at the source code, understand that other websites claiming to have client-side Javascript PGP could be insecure. Be cautious of any site offering client-side PGP. You should always search through the source code looking for Javascript includes, XHR requests and HTML5 outbound data calls.
Note two things here: they are still misunderstanding the issue - there is no way to implement this securely, besides their reassurance. Also note that this is a feature that is supposed to be built for users who find desktop PGP complicated, yet it is asking them to conduct a thorough audit of the PGP code prior to using the tool each time. This is completely unrealistic.
Back on the comment thread, there was also a completely surreal situation where i'm left spending a dozen comments explaining to DrugsList what the actual problem is, since it is clear they don't understand what i'm actually reporting - in the meantime they continue to deny that there is a problem.
I had no idea at the time that this would lead to an hours-long conversation where drugslist would repeatably deny the existence of numerous security issues despite the clear evidence to the contrary.
I went back up to that original post and kept reading about the API. Two lines later and we have another security issue:
2. API Security Issues
I'll keep this brief. The problems with the API are:
- It asks you to place your marketplace password in the URL of the API. This is a big no-no, since many applications log URLs in plain text. A URL is 'non sensitive' data and all applications treat it that way, you should not be placing passwords into the URL
- The password used in the API is the same as that used in the API, so if your API somehow leaks, the person finding the password can login as you. This is poor design.
- The API client makes no effort to authenticate the server, and vice-versa. This means it would be incredibly simple to intercept the data passing between the API client and the API server. Running over Tor only makes it easier, since a lot of Tor configs have misconfigured DNS.
The drugslist response to these concerns is that they 'expect' API clients to know these problems and to use them securely.
I had now discovered a number of basic security issues in reading only two paragraphs of text from Drugslist, and in all these cases the Drugslist user had responded quickly, completely denying any issue or any problem - and dismissing the concern. This was becoming a pattern and it prompted me to look at the history of this user and this drug marketplace, it didn't take me long to find more hits.
Error 3: SQL Injection
I only had to scroll down 3 or 4 previous thread before finding this thread - where a user of reddit (edit: it was /u/magnus0 - and no matter what you think of how he approached it, he was reporting a bad vulnerability to the site owner rather than exploiting it himself) had reported an SQL Injection vulnerability to DrugsList.
Set aside for a moment what you may believe about how the person reporting that bug behaved or conducted themselves, because this is a very serious issue.
I could not believe what I was seeing as I scrolled through the screenshots attached. I haven't seen this type of elementary SQL Injection bug for years. This stuff used to work 10 years ago, but you rarely see it any more as most programmers and websites have wisened up to the simplest of SQL Injection bugs.
Make no mistake about this: what is being demonstrated in that bug is the ability to take control of the application and run whatever commands you wish on the database. This means you can take passwords, steal bitcoin, insert your own vendor account etc.
This is the exact same type of bug that cause both Sheep and BMR to be hacked, instead this bug was much, much simpler than either of those
This SQL Injection bug lead to what was now becoming a regular situation - the drugslist user coming in, denying that there was an error, and claiming that the user who found an SQL Injection had only found a 'small bug' and couldn't 'do anything'. He was daring the next attacker to delete/hack his entire site as a way of proving that a bug exists.
This lead to a completely surreal comment thread, the kind I have never really had before, where we have the admin of the drug market along with a mod from the sub trying to convince people that this wasn't a real bug - using terms that are taken from information security, but using them in such a way that makes it clear to anybody who knows the field that these guys have no idea of what they are talking about.
The sheer simplicity of the SQL Injection attack lead me to open up a browser and to go to Drugs Marketplace and to check for myself to see if I could find any other bugs (having a single simple bug on the main page usually means there are more).
Error 4: Multiple SQL Injection Points
Within 3 minutes of checking their app it was clear that both their search page and their product page are not filtering user input and allow a user to tamper with SQL queries in any way they want.
I private message Drugslist and tell him that he needs to take his site down and come clean about the security issues. I've never seen a site like this. A potential hacker with no knowledge of info sec would only require 10-12 hours of learning to take complete advantage of stealing everything from Drugs List.
Error 5: Server Leaking Info
After discovering the two bugs I come to the conclusion that there is no point in testing this further, since every parameter I test is vulnerable.
I look down at my logs and I can't believe what i'm seeing - the server is leaking critical information about itself that would make it simple for a dedicated adversary to trace down not only the location of the server, but the people running it.
This is worse than Silk Road in the early days, where similar output lead the authorities to the location of the Silk Road server.
Error 6: Consolidating everything in one market
The other problem with Drugs List is that in an effort to be convenient they consolidate everything into one website and behind one URL: market, wallets, email, forum and even PGP
Were the market hacked or taken over by LE, they would get everything - your emails, your messages, your PGP (via the web tool). This is why each vendor and buyer should host each of these separately - email should be with one host, wallet with another, marketplace on another, PGP on your desktop - this rule is the same as the 'diversify your holdings' rule in the finance world, you don't want a single point of vulnerability.
There is also a reason why other markets host their forums and their marketplaces on separate URLs, its so that you isolate them from each other. The threat model to a forum is very different to the threat model for a bitcoin drug marketplace - you don't want a bug in the forum leading to a complete compromise of your bitcoin drug marketplace.
Over-marketing and under-delivering
If you look at Drugs Lists claims, they keep reiterating security and how they have hired 'PHD's in math' and 'security experts'. There is no chance this is true. Drugs List has almost certainly been put together by a single person with a minor understanding of technology and almost no understanding of security who outsourced the work of programming the marketplace. It is likely that he has hired cheap offshore labour to build this site using a service like oDesk or Elance. I don't believe his programmers know that what they are building is being used as a drug marketplace.
When I search some of these marketplaces for 'bitcoin escrow marketplace' I get a number of hits for people attempting to hire cheap labour to build such a marketplace. Some of these sound a lot like Drugs List, and that would also match up with how the site has been implemented. This is exactly how SR1 was taken down and I have more than enough information to conclude that were a sufficiently motivated adversary interested in taking down Drugs List, they would likely do so in very short order.
It doesn't matter if you believe that I am out to "get" drugs list or not, there is a pattern in his communication where numerous people have reported security or other concerns to them and they are dismissed. So either all these people reporting concerns are crazy (which would include me, two other techs on the SQL injection thread, /u/TMPSchultz and /u/gwern on the multi-sig thread), or drugs list is negligent with user data and are in way over their heads with operating a secretive bitcoin based underground drug market.
Of the 3 issues I reported to them, his replies indicated that he didn't even understand 2 of them. It took me numerous messages to explain what was wrong with doing web-based PGP, despite their first response indicated that they understood the issue and thought it was ok.
There is a pattern here in how features are over-marketed and then under delivered and sheer negligence with security reports. The question vendors and buyers have to ask themselves is do they really trust their identity and money with someone who is not only incompetent in building a website but in utter denial about there being a problem.
IF YOU ARE A VENDOR OR BUYER: Don't trust me - please, find someone you know who is a programmer or a tech and ask them to take a look at these two threads:
- This one where I report the PGP error, which becomes very weird at the end
- This thread, where a user reports a simple SQL injection
That is the lest amount of due diligence you should do before using a drug marketplace, especially as a vendor. You will find that even those with a cursory knowledge of programming or info security will find those threads worrying to the point of being amusing.
So uhhh.. Anyone interested in going halfsies on an SQL injection?