[PSA] If you use [Grams]Flow I *WILL* steal your Bitcoins.

EDIT /u/gramsadmin has made some changes to his site, specifically he now offers https, as such some of these risks I mention below are no longer risks, or are avoidable. I will update this post once I've had a chance to review fully.


Grams flow is a service that redirects you to your favorite market. Unfortunately it is unsafe by design because it uses unencrypted http and easily exploited.

How are you going to steal coins?

Quite simple actually:

Why am I doing this?

Well if I don't do it, someone else will.

Wait, I just used it and it worked fine

Yes, unfortunately I only run one exit node. It's unlikely you'll hit my node very often, but occasionally you will.

Ah, but I can check the redirect address to see that it's valid

That's great for you - but most people won't bother. That's why they are using the redirect service.

Did you talk to the Grams admins first before doing this?

Yes. They don't think you're at any risk. See my comments on this thread: https://pay.reddit.com/r/DarkNetMarkets/comments/27m333/grams_update_grams_newest_feature_flow/

What should I do to be safe?

Never use an untrusted source for your darknet market URLs! Most sources cannot and should not be trusted! The best thing to do is write down / save the address somewhere private and always use your private copy.

[To the Grams folks: No hard feelings, I know you mean well, but I believe it's important to take security seriously.]


Comments


[14 Points] Trappy_Pandora:

I think a better title would be, "[PSA] If you use [Grams]Flow I WILL ATTEMPT steal your Bitcoins via PHISHING"


[8 Points] hugsfordrugs:

To echo what /u/Lobali has said, while security advice is appreciated and helpful to everyone who uses the service in question, a claim such as "I WILL steal your Bitcoins" is completely sensationalist and overblown. You and /u/gramsadmin got into a scrum in another thread, and you got miffed enough to post this with such an over-the-top title.

For anyone reading, take the OP's comments with a grain of salt and understand that while it is possible, it's very unlikely that he will ever have the chance to steal your BTC. Be safe and always, always double check the site URL before you enter your login info.


[4 Points] None:

ANY redirect from http to onion has that vulnerability and it's worthwhile to remind people to look carefully at the URL on landing and exercise caution. Sidebar links or any of the plenty of other similar mechanisms have the same potential exploit.

But, I have to say your post comes off as aggressive specific to grams and not so much a PSA type reminder of something people know to be careful to mind. Threatening to personally steal people's bitcoins via exploit is less helpful than posting an actual PSA reminding people to be mindful of it.


[4 Points] gramsadmin:

Have fun. Users just remember the last few characters of the markets you use which you should be doing anyways and make sure you are at the right url before putting in your password, which you should be doing anyways. It is just as easy for /r/dnm or deepdotweb which is also not encrypted to give you bad links if they get compromised. All of which is a 1 in a million chance.


[3 Points] gramsadmin:

So would you agree that tomorrow when I get the ssl CA it will be the safest place to get links from besides the markets. Since the US gov. could change links on the reddit page without anyone noticing? Also when I get the ssl CA tomorrow will you make a retraction post?


[1 Points] insayan:

If you use the ATM next to my house I WILL steal your money.


[1 Points] None:

You would have to be incredibly quick to get any of my buttcoins.


[0 Points] thuiett:

A real bitcoin scammer is proebooks on pandora. He will ask for green dot money pack numbers then your scammed. Don't let this happen to you.


[-1 Points] bowtie25:

Yeah that doesn't seem safe at all to use haha


[-1 Points] sharpshooter789:

I alter any grams http requests so they redirect to a fake market site.

How do you expect to accomplish this? Did you compromise the server? Having an exit node accomplices nothing since hidden services act as their own exit node.


[-1 Points] over9000pies:

Sorry if I'm naive, but why the fuck are we stealing bitcoins from each other?? We're all here trying to get self medicated in a world that doesn't allow that. What gives?