realdealmarket - information leak

Hello! I want inform all of you about security leak which realdealmarket have for long time. After login type this url into navbar: trdealmgn4uvm42g [dot] onion/purchases/details/1 - end number can be edited from 1 to 2356 (which is currently latest faked order ID), and you can see all order on the markets ... most of them is going from same BTC address again and again .. so it is repeating or vendors manipulating with their transactions maybe reviews too... There you can see, admin have no skills, he is poor lame and incompetent (because this is very serious security leak). BTW I was inform about this leak admin about month ago but He do not reply to me yet.


Comments


[9 Points] gwern:

That is most embarrassing, and problematic for any customers (now they especially have to worry about blockchain analysis).

But OP, I'm curious: when I try it out*, only about every 1 in 6 order numbers seems to actually work, and the others give me 307 Temporary Redirects to the TRD main page. If orders are incrementing numbers, why does only a subset work?

* using a loop like thus;

$ for i in {1..2500};
do (http_proxy="localhost:8123" wget --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 --tries=10 --load-cookies=cookies.txt --user-agent="$(cat ~/blackmarket-mirrors/user-agent.txt)" --append-output=log.txt --server-response --max-redirect=0 "http://trdealmgn4uvm42g.onion/purchases/details/$i");
done


[2 Points] noseybast:

Should of spent more time on his market rather than trying to make himself look intelligent


[3 Points] Trappy_Pandora:

Assuming this is true, and not FUD, thats very kind of you to let the admin know first instead of immediately coming to the forums or reddit about it.


[2 Points] None:

Well, it is Bitwasp.


[1 Points] senior70:

I am curious why is not warning in active warnings section ... o.O


[1 Points] TheRealDealMarket:

First of all I would like to point out that anyone who ties their personal wallet address which is used on clearnet to dnm activity is an idiot (probably the kind of thing you would do and therefor you do not understand the insignificance of this "information"). This is not a major leak - BlackBank was one of the largest markets and has/had all their addresses public for anyone to view on blockexplorer. So what is the problem?

Second of all, order IDs are never faked, fact is for some reason (which we will look into) you got only a 6th of all orders, not to mention that some orders are deleted.

You are a child "Inspector" .. you have tried twice to blackmail us over this nonsense and I will make sure our other admin posts screenshots of those sad attempts soon... Instead of doing anything good for the community, you choose to be another "mr nice guy" .. I am sure most people can see straight through your sad attempts.

We also saw you doing this in real time by the way, someone is always monitoring the servers, just didn't care because it is meaningless. Why don't you go out and play or perhaps do something productive and useful with your time?

Get well soon,

TheRealDeal Admin


[1 Points] None:

[removed]