Alphabay 2-FA security flaw

Today on 6/25/17 I encountered a glaring security flaw with alphabays 2-fa system.

I went to log in and were the 2-fa decryption message normally is, there was a message that there was an issue with my PGP key and to change it in my profile. There was no message to decrypt, it just showed my 2-fa login code in PLAINTEXT!.

The thing is, there was no issue with my PGP key, its been the same key ever since I started vending and I haven't changed it. There was no reason for this to happen, and anyone could have gotten into my account. I can't have people getting into my account, I'm a level 4 vendor with over $30k of business conducted on alpha bay in just the past 2 months.

I went to my profile and updated my PGP key to the exact same one I've always been using, and that seems to have fixed the issue.


Comments


[10 Points] pinochetHA:

This has happened to me on a normal account I operated there. I got the same message to change my key. I didn't and 2fa worked fine on all logins after that.


[9 Points] murderhomelesspeople:

This has been reported lots, still haven't heard an official explanation.

https://pay.reddit.com/r/DarkNetMarkets/comments/68093r/weird_alphabay_2fa_login_anyone_else/

https://pay.reddit.com/r/DarkNetMarkets/comments/68kyl0/problem_with_2fa_alphabay/

https://pay.reddit.com/r/DarkNetMarkets/comments/6b1rm2/wtf_is_this_message_from_alphabay_am_i_being/

That's just a couple. A pretty bad opsec flaw on their part considering 2-FA is the first place everyone goes when someone claims to get phished.


[5 Points] None:

Vendors get phished all the time and if 2FA protection isn't guaranteed then they have all rights to be worried.


[2 Points] fuk-yt-people:

Thats is there for AB mods bypass the 2fa to steal your money .. you notice vendors say this then a few month or weeks later they claim they have been either phished or had there account blocked and most likely dumped of coins


[1 Points] everlastingGob:

Yea happend to me a few times pretty weird.


[1 Points] Wamboz:

/u/alphabaysupport


[1 Points] zysr90:

Everyone knows alpha is an insecure shithole run by carders that care more about stealing money from banned and inactive accounts than their own security. I lost 7k from this site locking me out for nothing and followed that coin to wallet and wallet.


[1 Points] That_Guy_389:

Highlights the importance of having a strong password (15 digit randomly generated)


[1 Points] trasnor:

Yep can confirm I saw the same exact bug about a week ago. Probably all it is, shitty code on their end, and instead of locking you out when their 2fa code breaks, it just lets you in instead.


[1 Points] Bossmanrizzle12:

My pgp key couldn't decrypt the message on my old account


[0 Points] BarryHash:

anyone could have gotten into my account

Been sharing your username and password with random people on the internet have you?


[0 Points] maywest44:

Yea, this sounds like one of those things that might just be a "one off" phishing link pop up, or something - I have occasional problems with the Captcha on A/B, but other than that, the F2A has worked flawlessly for me. (on Tails 2.12, at least - still setting up 3.0)

Hope it works out for you !


[-1 Points] drugaudits:

Why would someone else know your password to even get to that screen?

I agree this is a flaw, but someone getting to the 2fa screen shouldn't be happening with good opsec


[-1 Points] power78:

I hope you all just assume the government is running alphabay by now...