Utopia is unsecure and admins are cheap!

Well you saw the post before about the XSS? Yeah thats right, it was not the first XSS on the site, there was also a XSS in the subject parameter when you send a message, which I submitted to the admin aka JayLaw. In the subject header of the message??? Can you believe that?? you could target your victim directly by sending a message and he wouldn't even notice??!! Luckily for Utopia I reported it before some dude sent all these Tor browser update scams... I also sent them a btc address to send a little thanks, but they didn't even pay a lousy cent. All I got was a thank you?! WTF! Others markets paid up to 0.1 BTC for an XSS and 0.3 for SQLI!! Ahh yeah also when you check out this http://ggvow6fj3sehlm45.onion/Pm/compose/1/reply_id:5555 Just change the reply id and you see the subject of every message ever sent I guess... I need to say, nice flaws that you got there Utopia. If you want to thank me now Utopia, here: 13c8369HpHi45Qh7SZmoDa95JrnvqiLYfq You should take security more serious! Seriously guys!


Comments


[3 Points] sharpshooter789:

In this day in age XSS is unacceptable even for clearnet sites.


[3 Points] gwern:

In the subject header of the message??? Can you believe that?? you could target your victim directly by sending a message and he wouldn't even notice??!! Luckily for Utopia I reported it before some dude sent all these Tor browser update scams...

Oh, is that what that was? I was a little surprised because it was clearly a scam but the URL it was telling me to download from looked pretty legitimate.


[3 Points] fgagfgagfffgre:

I wonder why they are still online if it is true what whyusheep says...??? ( and I doubt that it is not)


[3 Points] tomhuck:

I just want to say thanks to you hackers for ripping there asses. This stuff is way beyond me but you would think with someone starting a darknet market they would at least know what the fuck there doing before going live. If you guys can take over there database imagine what the government can do.


[1 Points] None:

There are many more bugs in their CakePHP install... This is the tip of the iceberg.

They also charge you 1% to withdraw funds, which is one of the many reasons I targeted them.