Trade Route Cancel After Shipped Exploit

I am here to share an exploit which has affected some. I am sitting on a bunch more.

None of the current markets are good. I wonder when we'll get our hands on some competent developers?

It's very simple to pull off; at the vendors PoV save the URL to cancel the order (right click on the button, copy link address). Note it down in a notepad document. When you have marked it shipped, and the money is in your account. Paste the link in the URL. The PHP script activated does no checks about whether or not it's marked shipped, and will simply flip the flag in the database.

This is a PSA; please do not abuse this vendors. And to buyers. Don't buy non-escrow products right now from vendors you don't normally buy at.


Comments


[6 Points] t0mcheck:

[removed]


[3 Points] Reajsjsjs:

OP why would you post this here and not open a support ticket on TR? Either way I hope a vendor can create a test listing for mods to see this. /u/wombat2combat


[2 Points] murderhomelesspeople:

Did you contact trade route about this? They usually respond pretty quick.


[1 Points] hhayn:

So does this effect FE, multisig, escrow or some permutation of the three..? Because the post is a bit unclear, as the last sentence is making me think I can buy escrow products right now from vendors I don't normally buy from. And if it was an FE listing then the money is already gone. And that would only work on a nonfunctional multisig implementation, I think, right? IDK I have never used this market so I guess it isn't clear to what the additional risk this presents.


[1 Points] luma88:

dunno if it's good to share how to do it. just saying which exploit should be enough... i think you should edit your post to prevent that this exploit isnt used too often... poor buyers :(


[1 Points] Killa7839:

You don't know how proud I am to be one of if not the first to suggest this. I finally have a life purpose.


[1 Points] None:

Damn, well I'm using multi signature only from now on. Hopefully the vendors aren't assholes.


[1 Points] Christisrealnigga:

Uh hello mods? Where is the TR warning on the superlist?


[-1 Points] Fraudsterbiz:

bad news, i found a good CC Vendor thath has exactly what i need, maybe is a scam.