Anyone verified the Sourcery market vulnerabilities reported by /u/t0mcheck?

Some very damning vulnerabilities were reported here:

https://www.reddit.com/r/DarkNetMarkets/comments/6qvs2m/sourcery_market_security_vulnerabilities/

Anyone else managed verified the existence of these vulns?


Comments


[4 Points] USAUG:

the site is up and running...they posted answer on main page:

Sourcery Response to Security Findings I wanted to take time to address the issues that were unconvered by a few pen testers. We acknowledge that we had a slip and we have corrected the issues uncovered. The most devastating was the PM leak and I greatly apologize to each and every one of you. One of our promises when opening the market was that we would operate differently - we wouldn't hide or try to cover up problems but we would be open and transparent about them. Some points I do want to make:

No contractual data was exposed. There was no compromise in the financial part of Sourcery.
Your wallets were never compromised. Also, since we don't keep coin on the market, your coin was never in danger.
No accounts were compromised. We do encrypt passwords and the mneumonic in our database (not just md5 hash, full encryption).

How did this happen? We had a deployment that broke a section of the authorization logic. It wasn't fully broken, but what it did was on certain pages, such as the PMs, the bug allowed the page to load, then it redirected to a default page. On a browser, this wasn't noticeable at all because the redirect happened quickly. But running it in curl or any other automated tool, the tool would have picked up on the page load, then the redirect request. We know we have an uphill battle to regain your trust, but I hope sincerely that we can. We are acknowledging our shortcomings and working so that this doesn't happen in the future.

One other point I wanted to bring up was we saw some speculation on our image uploader and whether or not malicious code could be injected. We will have pen testers to verify what we have found to ensure this is not the case but we do image analysis when you upload a photo. Many of you actually have run into problems b/c of that analysis. When you upload an image, we analyze that image to make sure its actually an image. We don't just look at the file extension. You can try it out yourself. Go upload a piece of code, name it something.jpg and try to upload it. It will be rejected. Also, along these lines, someone mentioned that the image fetching was taking a path to a directory and loading the file. This is not the case. The images actually aren't accessible via the directory. This is why it requires going through the "loader" to fetch images. Your images are not saved in the "images" directory of the web application. This is absolutely not the case. If you ever noticed in the code, to fetch an image, the URL is something like

. The photo is not stored as "blah.jpg". This is simply a key to look up your photo and fetch it. You will not find a file called "blah.jpg" on our server. We generate a lookup name and this is what is used to fetch the image. You cannot fetch your image by any URL in the address bar because the image simply is not available in the web app directory. We do this on purpose for security reasons. Again, we will make sure our pen testers confirm this for us but there was a reason we did things this way. In short, we not only analyze your upload to make sure its actually an image, we store it in such a way that its not accessible directly on the URL.

What are we doing?

We are going to slow down our deployment process and ensure that even little changes undergo rigourous testing before release.
We have hired a new pen tester who will be hitting our platform and providing a report. We are in the works with hiring an additional pen tester and perhaps another person to do code auditing (need to see the logistics on this).
Obviously we are also doing additional code audits and testing on our own along with the outside consultants.

We have no excuse for what happened and we are quite embarassed. We want to work on the issues and harden everything to ensure that everyone is protected. We will not have this sort of slip again and we hope that we can regain your trust in Sourcery and we will work diligently to ensure you are happy here.


[4 Points] gregsterb:

EVERYONE SHOULD SEE THIS. THIS IS HOW A MARKET SHOULD REACT. THERE IS A FUTURE IN THIS SITE AND THEIR TEAM!


[5 Points] AI-Bourne:

You can test it for yourself actually, its simple


[3 Points] dankgrilled:

Wondering the same thing


[1 Points] AutoModerator:

/u/t0mcheck - You have been summoned in this thread by /u/Dontworrybeready.

This convenience is brought to you by AutoMod. Submissions do not automatically summon users like comments do. AutoMod is trying to be helpful.

For others, it should no longer be necessary to summon the referenced user in a comment any more. AutoMod has done the heavy lifting for you. You're welcome. Bow before me.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.


[1 Points] Inthewirelain:

They took it down did they not? Is it back up?

https://www.reddit.com/r/SourceryMarket/comments/6qwxnm/sourcery_down_for_a_little_bit/

https://www.reddit.com/r/DarkNetMarkets/comments/6qwyeu/sourcery_market_down_briefly/?utm_content=comments&utm_medium=user&utm_source=reddit&utm_name=frontpage