Just making sure the people here stay safe.
For anyone who read the news of this new market. Such incompetence.
In less than 15 minutes after registering to this market I was able to easily get access to their full database of profiles, as well as some leaked system configuration (Server engine, its version and Operating system).
Basic error handling issues:
https://cdn1.imggmi.com/uploads/2018/2/4/80239348b6b59d46ac7a357aacf4c648-full.png
Configuration leak:
https://cdn1.imggmi.com/uploads/2018/2/4/2bd03c252aea00ff063db18518d7d219-full.png
There is no CSRF protection for forms related to funds withdrawal. This is a crucial security flaw.
To add an insult to injury, I managed to get access to all conversations sent between users.
Even tho there are barely any, but still this is a crazy security breach.
Here's the list of their current users as I grabbed.
Sydney
Administrator
Admin
DeSnake
Moderator
alpha02
DreadPirateRoberts
johndoe
NiggaIm300
Lorenzo
fixer
reqwa
alphabay
martin
elf
EmpireMarket
empire
Zeus
test121
DeepMeds
Billz226
penissmith
penisschmidt
FuckYourPlug
Moderation
T666
EmpireSupport
CustomerSupport
swisscheesecaveman
theturtleinasuit
TechnicalAdmin
fives
cookie
administrator
killuminati23
userunknown99
killphisher666
killuminati
PandaPro
onlooker
beta02a
Bitch
timtimtim
tesla450
midroach
fruitrockz
Drago
engineer
Uljanov0905
vladistar
DrunkDragon
fuckyou
kivley
BobTheDog
dadsadsa
rail
Bud
plasticSHOCKSm
thecat
supercanuck
CanadianConnect
Green
Spritex
mihilyf
onlooker
plaguedoctor
tripking
KingCookieMonster
In short, these guys are noobs when it comes to DN stuff. I'm sure if I spent more time I'd find much more vulnerabilities.
If you want to put your life in jeopardy, this would be a good place to start.
I bet you can't steal all their monies