SECURITY WARNING: Agora Feedback Vulnerability

As the system is currently configured, a vendor can change the title of a product and keep the previous feedback.

Vendors take advantage of this by offering a very low priced item initially and then after the feedback rolls in they change the item to a much higher priced item, in some cases requiring FE. These items are then not delivered.

For example, a molly vendor offers free or cheap 0.25 g samples to the first 50 customers and then after they post feedback change the order to a higher priced 10 g item. People looking at the 10 g item see all the positive feedback and decide to order from the vendor, who never delivers.

One vendor who did this, HappyHolland, even threatened buyers of the original sample with sending their details to the police if they did not keep quiet and post 5/5 feedback.

I reported this to the Agora admins but they have told me they don't care. At this stage I would not continue to use that marketplace until they take their customers security more seriously.


Comments


[13 Points] None:

[deleted]


[3 Points] STIMUMAN_UK:

I have had a vendor change the name of the product i bought before,which turned out to be garbage!!! Pm me if you want the vendors name,they are on agora and one of the top opiate vendors.....


[2 Points] summore:

I noticed that on BSM also. The feedback remains even when the product changes.


[2 Points] reprapraper:

this is in no way unique to agora and is pretty easily solvable by taking 5 minutesto read the listing and the last page or two of the vendor's review thread on the forums(The Hub or otherwise)


[2 Points] huh_whut:

present and taken advantage of on SR2 also. not uncommon currently


[1 Points] Laziest_Bastard_Ever:

Thanks for pointing this out, I hope they fix this issue.


[1 Points] DNx1:

The code base itself is questionable.

The web server is either spoofing data or there is a lack of hardening of the system.

Simple Machines Forum, used by many onion sites has documented vulnerabilities. With some forums running older versions that gives and attacker the opportunity to run code through an exploit in the avatar upload functionality.

Remember the bottom line here is profit.

OPSEC should be priority to someone running a dark market but it is not a mutually inclusive attribute.

It's highly plausible to think that the server has been compromised. The invite system might be a sign of exclusivity but to play devil's advocate, one could speculate it serves for, ~ relationship mapping ~ knowing the code base needs work


[1 Points] heavydruguser:

even threatened buyers of the original sample with sending their details to the police

Remember everyone, if this ever happens to you, DENY. You don't know why you received the packaged. You don't know who sent it. You have no idea why anyone would have sent it to you. You cannot be charged with a crime for this.


[1 Points] srdnm3:

This is how my friend got scammed on Agora. The vendor did this and then changed the price to a higher valued item and he bought it and the vendor never deleivered. Once one account gets banned, the scammers make another one. I saw his scammer on a new account after the original scammer got banned.


[1 Points] tripped_out_me:

Tor bazaar has done a great job with their feedback system. I recently just posted my first one so was thoroughly impressed with how it's been setup. Both vendors and users get to leave feedbacks for each without them knowing who left them the feedback. Addionatlay  vendors get rated for their communication, shipping, stealth and the quality of the product. No date or specific item or quantity info is attached to the feedback and once submitted it cannot be edited or deleted. Now to mitigate threatening vendors forcing buyers to submit great feedbacks or doxxing them. The feedback system tracks and updates feedbacks for both users and vendors  in multiple quantities or 2 or more and randomly uploaded at different times of the day making it very hard for the vendors with multiple orders to know might have left them a negative feedback.  


[1 Points] Vendor_BBMC:

If a vendor wanted to exploit it, agora has another vulnerability.

In the vendor control panel, an automatic refund anywhere up to the item's full price can be set. I guess Agora still take their 5%.

Customers should name the item in their feedback. You'll see some "vendors" getting feedback like "only took 8 days to get to australia" the day after they started trading.

Feedback should be as varied as customers.


[-1 Points] BlueShadesTM:

Well apparently Agoras been hacked anyways.