Let's talk about AlphaBay's message vulnerability

I've just been doing some catching up and dug up some information regarding AlphaBay's new vendor API. Very useful and innovative feature to be honest, I think other Markets should follow suit as long as they can do so securely, it could definitely help busy vendor's with multiple team members.

Anyway, not to throw shade their way after bigging up this new feature, but something like this, which allows you to return data from your account, should be combed with a huge amount of testing, to the point where you know it is 100% secure, absolutely air tight.

Did AlphaBay do this? The answer is no. When they first released the API in April, for the first day, anyone could access all* messages through it.

*to the point of the request limit.

After a fix was issued, it was announced that 1.5% of messages had potentially been accessed. The response also mentioned that the messages in that block were useless regarding refunds, etc. Honestly, that is not the point. I truly believed the admins were competent enough to simply test each parameter of an API that could return such sensitive data. This fuck up, could realistically have caused a lot of damage to some people's lives if there was any personal information involved, which there could have been, they could happily downplay it, unless they want to provide some transparency on this. It just seems like it was brushed under the carpet, and I can't find any mention of it on Reddit, so it was kept as quiet as possible.

This was a seriously dangerous vulnerability, that could have put peoples freedom on the line, it could possibly be LE that downloaded the messages, we don't know that. To simply say it is now fixed and that it is not an issue, is completely unacceptable in my opinion.

Transparency please, more details. Someone page whoever the fuck has infiltrated their ranks because I'm out of the loop.


Comments


[7 Points] -hashtag:

I am of the Opinion that Alpha-Bay is here to stay. For a few different reasons. Firstly, they have been operating for a LONG time, I think longer than any other market. Secondly they are always adding features that have NEVER been seen on DNM markets before, like the API access, shared access, autoshop, tumbling withdrawals, partial FE, and Multi-sig. Thirdly, I don't see another market coming close to what Alpha-Bay has done in terms of features.

Usually Exit scams include establishing a new market, gaining a following there, and then taking the older market offline and pocketing the coins. So that the new Market now gets a large amount of 'refugee' users. I see no other Market like it that would suffice as a replacement.

Alpha-Bay's Support sucks dick though, especially the goodfor nothing BigMustash (or whatever that fucks handle is) Good for nothing Mod, who doesn't even read the request and copy-pastes the same exact generic message in all the response.

ALPHA-BAY should fire that dumb fuck of a mod. Otherwise. I think Alpha-Bay will be around for some time.


[3 Points] GottaGoFastGOGOGO:

AB was one of the first markets to even attempt an API, of course their were problems initially but it works great now and it was a very MINOR fuck up, have we heard of anyone accessing valuable infoformation stored in those texts other then cleartext addresses and "It's been 4 days wheres my pack" messages?

Shit happens, AB fucked up, admitted they fucked up and fixed it. yall are gonna be sad whenever AB does decide to exit scam because you don't know how good you guys got it right now, the last couple weeks it's easily been as stable & active as agora and evo at their peak


[2 Points] None:

[deleted]


[1 Points] Anti-Hero_AU:

Let's talk about AlphaBay's message vulnerability

We already did, a month or two ago now:

What rock u been under? o_0


[1 Points] alphabaysupport:

Hello Axaq. Thank you for bringing up this issue, I as security administrator think it was left out to had my security incident report and response to this which had minor impact as you pointed out (1.5% access old messages) but as you said it is not the main point. From your words I understand the main point is principles (security-related,management-related) and I completely agree so let me tell you about them and why AlphaBay is built around on principles.

Starting from Administration and Senior Staff members of AlphaBay, all were checked (other Staff members too but not fit into this category) before working because at the time (and continuing now) were trusted, vouched for their knowledge and business skills/products/services carders and hackers. Now half of you on this reddit will say its not something to brag about or positive thing to have in resume especially when running a DNM or being involved in any part of it in any way but I assure you it is quite the opposite. These circles for to be proven require trust for long period which means business for long period with many people with no cheating regardless what type it is and which in terms can only be accomplished by showing consistency which in turn needs one to have principles to follow on a daily basis to succeed. Having proven record of it and establishing the similar Web of Trust in AlphaBay, every single user of AlphaBay knows it is our reputation on the line, for which we have worked for very hard and is our core ingredient source of income, and fucking it up is a bad move with severe consequences.

For us it is very important to have trusted people with backed history to lead and be put in trust when it comes to such scales. In contrast every other DNM had a 'mystery' admin team behind without knowing who they are or where they come from/credentials to prove legitimacy, yet thousands of people put their trust in such markets. To build something standing you need verified individuals/team of individuals and this is why AlphaBay team is here for, it is something I have made clear before is I stay true to the scene and will stand with AlphaBay as long as we keep principles which keeps the community safe and ourselves as well. What principles you might ask?

Interestingly enough if any of you have noticed many markets used the very same spamming tactics to gain popularity including bashing names, discrediting along other nasty tricks they attempted. Perfect example how we are not part of these ongoing ring of scamming markets/team of scammers is that our name was constantly bad mouthed not a single good post were to be made for us on this reddit, it is facts. Instead of going after explaining and campaigning this, we decided time will teach people to understand credibility is important as well as principles.

Now that you have understood by been given reasoning and arguments supported with evidence, that what we do is serious to us and will stick to our principles including security ones, we can talk about the real security in AlphaBay and what was really done that day to slow down the attack before it was shut down in a matter of hours, transparency as you requested.

Thanks to security measures we had already put in place ages ago like firewalls, custom codes for protection as well as our complex network infrastructure allows us to handle/mitigate many if not a very large percentage of known attacks. Further, should an intrusion were to be able to bypass the WAFs, firewalls and somehow not trigger any alarm on the ID(P)S, then it would be a matter of miliseconds of our security protocols to kick in and automatically completely shut down access to any of the servers or databases and alert Administration. In this specific case, the API feature was thoroughly tested security-wise from myself and other admins but upon deployment it was unforseen some environment variables and needed to enable some additional functionality (vulnerable code was 1 line code) to test out which was later forgotten by one of the admins deploying it and this was the core oversight which led to this. That day when the working code was implemented I set off early due to working long time and later few hours other admins on the shift saw the access logs - again only less than 1.5% were accessed so Axaq you are wrong when you say '1.5% had potentially been accessed', we are 100% certain only 1.5% of the messages were accessed as we see the logs and tell you as it is. In the end of the day no major damage was done regardless of how much you want to stretch the topic or how you flip it. On top of all, the vulnerability was logical not allowed injection to database or writing to server. We know what we are doing in terms of security, it was a fuck up which we openly admitted and mitigated but honestly, it was due to the long hours we put in writing, testing and this endless cycle. Again, thanks to our defenses and quick intervention no major damage, only this proves we know what we are doing.

More talking about principles, it could have saved peoples lives if they were smart about it when using DNMs. If they read any basic guide they will know the very basic thing they need to do and on any meaningful tutorial it will say as one of first to always encrypt your communication, especially any sensitive information. If users were to have clicked the 'automatic encrypt message to vendor' which does not require the user to have a PGP key in AlphaBay, it is encrypted with the server main PGP key, then these messages would have been secure from being read in clear text. If users used PGP, then again these messages would not be read. In a case of raid, servers are going to be seized, whether they will be able without our protocols detecting tampering and shutting down everything to encrypted state, and there is possibility for LE to read messages or any kind of information being stored in clear text. Of course, that would not be the case if you followed principles and encrypted (as we do everything worth encrypting +giving you the options to do so yourself) and only costs you a few clicks and little bandwidth.

Post too long, see part 2 reply.