I have been conducting tests on a few markets this week to try and exploit simple holes in their security that have been overlooked. This has allowed me to achieve quite a worrying result, with the exploits being so simple, they could be used by Law Enforcement to de-anonymize users quite effectively in theory or they could be used by the wrong person and money could be stolen.
I have previously publicly posted about my claims in regards to Place Market, which was in discussion to be added to the Super List. I am still awaiting a reply from them since providing proof, but they don't seem to have been active.
I have also successfully executed similar attacks on "Open Road Market", and I am in the process of bringing this to their attention right now. This post is just to serve as a warning to the community right now and I will not be providing public proof as it may help others to discover the exploits and use them illicitly, however the mods have verified my findings independently.
Exploits found to work on both markets:
- Duplicated main Admin account
- Redirect any user to any URL (Could be a phishing URL or even clearnet)
- Prompt users with a fake authentication page within the same onion address, asking them to confirm their withdraw pin and in turn sending all of their on-site wallet funds to an address of my choosing.
- Send authentic admin messages to users
I hope following my contact with the market admins so these can be fixed urgently and would appreciate a bug bounty to be paid.
Screenshots for proof:
http://ln6vyadk4hv3dnyt.onion/i/1bhmo3bqb.jpg