What current and potential future Cantina Marketplace vendors and users need to know about the admin.

This post is a wrap up of "the Cantina affair" and serves as a notice for current vendors and users and any potential future users and vendors searching for info

Intro

On the 27th of January 2014 a new site called Cantina Marketplace was announced here on reddit. The intro thread was full of skepticism about many of the claims the market admin made about security. Within 24 hours a user on /r/silkroad posted "Cantina not worthy" where they pointed out an SQL Injection vulnerability on the site. Cantina admin denied there was a bug, and posted a bounty of 5BTC to anybody who could find an SQL injection on the site (comment since deleted). Within hours multiple people posted bugs - there were a total of 3 different bugs posted in that thread alone:

/orderprocess.php?Item=
/account/profile.php?UID=
/items.php?Item=

The Item and UID parameters were vulnerable wherever they featured on the site - which was on almost every. single. page. All it took to discover the bug was to replace the usually parameter with an apostrophe then requesting the page, which would produce an error message from MySQL.

Cantina denied multiple times that these were SQL injection errors, or that the site was compromised. The terms of the bug bounty changed from finding an SQL injection bug to requesting that users prove the site was vulnerable by dumping database data. The admin was gambling with his users data, and multiple users complied with his request to 'prove' the bug by dumping user data, passwords, database info, screenshots of their admin portal etc. in subsequent threads.

Now to the details of all the mistakes and lies cantina admin made.

1. Cantina lied in their marketing and their launch post.

2 days ago in "Introducing the Cantina Marketplace' admin said:

Secure message system. All messages on the site are automatically encrypted so only yourself and the recipient are able to read your communication. This means even in the situation where the site is compromised, never any order information or messages will be available to Law Enforcement.

This has since proven to be a lie (see here). I have a complete copy of the cantina database and the tables that store user messages store them in plain text. There is also no sign in the code that this feature was implemented. In any case this type of encryption does not work, since the server would have to store both sets of keys. Anybody breaking into the site would simply also steal the keys and decrypt all messages. This is why all users must use desktop PGP.

Further, the launch post also stated:

Our team is comprised soley of professionals consisting of a security technician, programmer, promoter, and administrator.

If the cantina marketplace did have a security technician on their team, then he or she would be the worst ever security technician in the history of the world. The type of SQL injection errors found were elementary. Rarely do penetration testers find such low hanging fruit, especially not on a site that aims to store and process hundreds of thousands of dollars worth of bitcoin.

My comment on that post was to be skeptical of their security claims:

Just once i'd like a marketplace to launch and instead of throwing the word 'security' around actually describe what it is they have done to make themselves more secure.

When pressed for more details of this glorious security architecture, admin replied with:

We have designed the site so it is completely safe from hackers and LE who may try various data extraction techniques to get sensitive data such as order information, user list, messages, etc.

All the messages sent on the site are encrypted so only you and the person you want to read the message can view it.

Also we have multiple dedicated servers running in countries around the world, so the marketplace can never be taken offline.

All three of those points were proven to be false. Further, in another comment admin stated:

We have a programmer and server technician, both are very skilled at what they do. They have been able to secure the site from all data extraction techniques through advanced coding and scripts. I am not sure the specifics of how they do it, but we have gone through lots of tests to make sure everything is secure.

This was misleading, if not an outright lie.

Admin was also extremely aggressive and rude to users asking questions about the marketplace, as summarized well in this comment by user /u/tallheaded. Admin removed many of the most offensive comments, a practice that would become a habit in the following days.

2. Cantina attempted to cover up the first reported security bug

When /u/throwaway748569w7 posted "Cantina not worthy" describing a simple SQL injection bug he had located on the site, admin at first private messaged the OP and attempted to pay him off (20BTC, apparently) to remove the post. When this failed, he reverted to damage control mode and attempted to spin the bug out of existence.

As well as denying the existence of this first of many SQL injection bug, it was this thread where admin posted the 5 BTC bounty for anybody who could find a bug (comment since deleted):

Cantina Marketplace is 100% secure.

It is not sqli vulnerable. I wish people would not upvote threads like this without doing any investigating themselves. 5 Bitcoins to whoever is able to successfully do a sql injection Regards, Cantina Marketplace

Within hours this comment had replies from people pointing out sql injection bugs.

3. Denial of the bugs found during the bounty

The details of the bug that I posted here are usually enough to get the attention of a developer or admin for them to fix the bug. It clearly points out an SQL injection bug which can be exploited to access all data and all server info.

After I posted that bug, I read some of admin's other comments in that thread and noticed a trend of denying the existence of bugs. Combined with his earlier spin about the site security, which I knew to now not be true - I got the impression that once the admin saw the bugs that had been posted that he might attempt to deny them. This is what prompted me to actually exploit the bug and to grab some 'proof' that it was exploitable. This proof consisted of obtaining a copy of some server configuration files - information that can't be faked and that only the admin and a successful attacker would know.

When doing this, I found that the server was grossly misconfigured and contained a lot of critical information that could easily lead to the identity of admin being revealed, or to the location of the server being discovered. I edited my post and added the following line:

edit: you need to email me. theavid@safe-mail.net. my key is here, send me yours

I requested he use a key because I considered the information I had to be extremely sensitive. At this time I made no demands, did not blackmail admin nor did I leak any data (another hacker did leak some user data, and I asked him to remove it).

I sent admin a private message directing him to my request to get in touch with my on email (with PGP). I waited for admin to reply. At this time I was being sincere, I wanted Cantina to fix their bugs so that vendor and user data would not leak. At the time I also considered taking the site down for them, as a precaution. It was also clear by this point that the 5 BTC bounty was nothing more than a marketing gimmick, a way to spin the news of the first bug and attempt to appease users.

4. Admin wakes up to the news that his site had been hacked, multiple times. Denies everything.

I knew what timezone admin was in so I waited for him to wake up and check his messages.

Since admin has made multiple false claims about what took place in private messages, I have reproduced them here with original screenshots.

First message (screenshot):

to Cantina_Marketplace sent 21 hours ago

you need to take your site offline.

once you do, email me on the details I left here:

http://www.reddit.com/r/SilkRoad/comments/1wed78/cantina_not_worthy/cf1q11j

His only reply was to reply to my thread on DNM with a link to his post denying that they had been hacked. The post admin made was titled "Cantina Marketplace has not been hacked". It has since been edited and the information removed, but the post claimed that Cantina was not hacked, that the hackers are lying and making their information up.

My hunch that Cantina would go into denial mode, which was based on their earlier spin of other issues, was right.

I went into my pm's and replied to his comment with a link to a page (I have since deleted it) with the complete records of the first 50 users in their database. This was as proof that they had been hacked. Admin saw the link and replied:

Nothing you are posting is from our database, nice try.

I realized I had screwed up at this point, because I had replied in a comment thread rather than in a private message - so everybody in that thread could have seen the link, so I deleted the comment and deleted the link (within minutes). This prompted admin to add to his comment:

EDIT: Notice he deleted his fake "data"

Admin was now bluffing and gambling with his own user data. I then created a thread where users of Cantina could verify that I was holding their data by asking them to reply with their Cantina usernames and I would look up their pin or password and private message it to them.

Admin created a new reddit account called /u/wowshit and then replied to my data verification thread with:

My name is "wowshit" on cantina, Whats my password?

The account was 6 minutes old at the time of the request. I looked up this username in the Cantina users table and messaged the pin back to the user. /u/wowshit replied with "that is not my pin!". This was a ruse designed to attempt to discredit my claim that I had the data. The only problem was that admin chose to run this diversion using a Cantina account that had administrator privileges on the site! Who else could it be if it wasn't admin. I dump the entire user record in a reply.

Since admin was still in denial mode, I tried to think of the next thing I could post that would prove they had been hacked but without compromising the details of user accounts. I figured that a list of usernames and their registration dates would verify the data leak and wouldn't be too damaging (i'd prefer not to have to leak anything, in fact, i'd prefer to not even have to grab the data in the first place).

5. Admin claims I blackmailed him

Facing overwhelming evidence, including passwords, user data, screenshots, etc. admin finally concedes that Cantina had been hacked. He still wanted to find a way to downplay the severity of the hack and excuse his own behavior. This was all going to be the fault of the people who found the bugs.

In this comment when asked why the 5 BTC bounty was not paid, admin claims:

The reason no one gets the 5 Bitcoin reward is simple.

Instead of finding the weakness and telling us what it is so we could fix it, the hacker let everyone know the flaw to inflict as much damage as possible.

All the vendor listings were deleted, and a list of our user's usernames were published. The people that published a list of our users did not care at all for the security of those people.

Some of the threads said they had access to data such as pins, passwords, and attempted to blackmail us. I knew they had no access to this data, so I did not give in. If however, they did have this information I would have done everything in my power to make sure that user's information was not released.

The reward of 5 bitcoins was not payed to anybody, because not one person contacted us with information on the SQL injection flaw, instead I was blackmailed by numerous people demanding money.

and here, when asked about the server info I mentioned:

That was another attempt from The_Avid to blackmail us. We would never be foolish enough to leave personal information anywhere on our marketplace.

Since I am being accused of blackmail, I figure I post my pm's with /u/Cantina_Marketplace:

First I messaged him and pointed to my comment with the bug, asking him to email me right away. He replied with a link to the 'we were not hacked' story.

Here are the private and comment thread messages that came next, spread out over hours while admin denied they were hacked:

  1. My initial message asking him to email me

  2. After his comments and denials, asking him if its ok to publish his server config

  3. Me showing him more data

Every single one of his replies to my private messages was simply the word 'LOL'.

Now who was reckless with user data?

I never made a single request for money in my messages - not once, on the contrary I told him I had no interest in the "bounty", I just wanted him to concede that his site was insecure.

In a later comment, admin almost concedes this point:

There was sensitive data such as order information, and messages, that blackmailers said they had. I told them to release the information because I knew they didn't have it.

and finally, this comment from admin:

If The_Avid decided to talk to me first he could have got the payment. Instead he made the choice to delete all vendor listings, release usernames, tell everyone how to exploit the flaw, then try to blackmail me. After doing all this he tell's the community I won't pay him his 'reward'.

There isn't a single comment from me anywhere complaining about not getting the bounty. On the contrary, I figured before admin had awoken that the bounty was nothing more than a marketing gimmick, designed to cover up the sites incompetence.

And I believe the record reflects that I did approach him and speak to him first. The edit on my first post with my email address was specifically for admin to reach out to me, as was my private message (the one he replied to with 'LOL'). I didn't publish any data until after admin dared me into it, and even then I only leaked what I would consider non-sensitive data.

As an aside - I didn't delete the vendor listings or do anything destructive on the server. I didn't even attempt to withdrawal bitcoins (there were only some 0.045 or so on there). There were over a half-dozen people with access to the server.

6. Mea Culpa, sorta.

A full 7 hours after the bug had been reported and admin bluffing hackers into leaking more and more data until he conceded they had been hacked, admin posts "Cantina Marketplace an Apology is in order".

From that post:

A single input on our marketplace was overlooked and somebody found it. An advanced SQL Injection was used and the attacker was able to access part's of our database

It wasn't a single input. Almost every single page was vulnerable. In speaking to other people who broke into the site, I discovered that we had all used a different (but basic) method to get in. Further there were simple and stupid bugs, such as /u/sniok 's "negative balance" bug, the admin password being Password1, the backend password being AAAaaa111, input not being filtered on the profile fields, nor in private messages. If you wanted to design an intentionally vulnerable website with which you could train people with no experience how to hack, you would design Cantina Marketplace.

The SQL injection was also far from advanced. I could probably teach a non-programmer how to find it and exploit it in an hour.

The hackers showed complete disregard for user's security and made the choice to publish usernames and then try to blackmail me that they would release user passwords, I knew they did not actually have access to the passwords which is the reason I did not give in. However, if they did have access to sensitive user data such as passwords, I would have been obligated to do everything in my power to make sure that information was not released.

We know this wasn't true. Data was only leaked after admin made his post about Cantina not being hacked and denying everything.

Further ..

Some went as far as threatening to release user order information, and messages. But I knew all that data was encrypted and therefor did not give into those demands either.

The order and message data on Cantina is not encrypted (see here).

This whole situation could have been resolved very differently to begin with. The_Avid, who I believe was the one who first found the flaw could have collected the reward. Instead, the hacker's actions were very different. He decided to cause as much damage as possible. Without sending me a single PM, he went about deleting huge parts of our database and telling everyone of the flaw inviting more damage to be done.

Well, I have proven above that the 'no pm' part is a lie. I can't prove that I didn't do the damage, but just say that I didn't (I didn't exploit any flaws on drugslist, instead I published them)

When I woke up in the morning I had over 15 PM's from different people including The_Avid trying to blackmail me. Shortly after writing my thread, my team members inform me the full extent of damage that was done. the_avid should have known better then to sabotage our website, blackmail me in PM's, and then expect a 5 Bitcoin reward.

False, false, false. No evidence of any of this.

7. Admin is an asshole and a conman

This was the second incident in as many days that left admin backtracking and bulk-deleting comments. He attacked community members who (presciently) questioned the security of his site. His 5BTC bounty was nothing more than a scam to cover up an earlier bug report. His final 'apology' post is nothing more than an attempt to shift the blame onto others and not take any responsibility. Admin continues to lie and deceive, still claiming that messages are encrypted, that passwords were not leaked, that I blackmailed him, etc. despite the evidence.

Admin is nothing more than a conman looking to make a quick buck from members of our community. He would sacrifice and burn absolutely anything or anybody to achieve this goal. He ordered a low-budget site that is only capable of one thing: accepting bitcoins from fooled participants. Since launching admin has done nothing but talk down to members of this community. He believes he is smarter than any of us and took us for fools when he believed he could talk his way out of serious security issues on his site. I don't think he expected to run into anybody here who would be able to actually call him out on his bullshit.

Admin dared hackers into releasing user info and gambled with their security rather than admit any wrongdoing. This was all about admin and him saving face, rather than the security of their users or vendors. Most real hackers don't bother emailing or messaging the site administrator, they will simply take the data and disappear.

So users and vendors here now, and any of those reading this in the future - avoid this administrator, Cantina Marketplace and any other marketplace he might be associated with in the future (if you are wondering how we might identify his involvement in any future marketplace, I have a solid solution for that). This was nothing more than a scam that was caught early enough (it lasted 48 hours) where it didn't cause much damage. Were this allowed to drag on it is almost certain that it would have been hacked or taken over by LE in the near future.

I strongly believe cantina and admin should be banned from here. They are rogue operators. They should also be added to a 'wall of shame' of negligent and scamming marketplace admins.

8. The user data

I have a complete copy of the user database including pin numbers, etc. I also have a lot of server information that I have yet to go through. I will be contacting every user in the database and alerting them to this thread and asking them to change their passwords and PINs on other sites as a matter of urgency. I will also be advising them to delete their accounts on Cantina, since it is in no way safe - and even if somehow admin manages to create a new site, he has proven himself as being a person who can not be trusted.

After I am done contacting users from the database and doing some basic research (which I will publish, even though the data sample is small there are interesting stats such as the % of users who use PGP) I will be securely destroying the data.

If at any time you see a reference to Cantina anywhere on the web, please point them over to this thread or to any other thread from the last few days about Cantina.

tl;dr I find that the Cantina Marketplace administrator is of poor character and should not be involved in the establishment, operation or development of any underground drug marketplace

edit screenshots updated to use imgur, thanks /u/IGetDankShit

edit no need to thank me for the totally awesome threads going on below. as /u/HoudiniWasFake linked: http://i.imgur.com/agJIP.gif


Comments


[9 Points] GrayMatterTechnology:

If you wanted to design an intentionally vulnerable website with which you could train people with no experience how to hack, you would design Cantina Marketplace.

No one could have said it better.

This is really evident of the gold rush heading towards the darknet markets and Bitcoin in general. People with little to no experience are able to build services, or contract work from freelancer, which then go on to handle potentially multimillion dollars of assets. Every site needs to be met which an extreme amount of scrutiny, especially when there have been two sites this week that have failed basic security procedures.


[8 Points] IGetDankShit:

I strongly believe cantina and admin should be banned from here. They are rogue operators. They should also be added to a 'wall of shame' of negligent and scamming marketplace admins.

I'll bring this up today and work on adding this section to the sidebar. Thanks for the suggestion and more importantly thank you for all the work you've done here to help the users of this subreddit, you've undoubtedly saved people from losing their hard earned money.


[7 Points] KnightOTS:

Every new marketplace that comes out should be judged by the_avid. I dont know two shits about the whole technical aspect of the darknet sites and I know alot of people are the same. With the rise of all these new markets someone should step up and take the role as the mf judging whats what. Alot of people are gonna wanna do what sheep did, and if someones not looking out they might just pull it off. This cantina mf is obviously the biggest idiot out of the bunch but someone not as stupid is going to come along and try to scam as many people as possible. Ive lost too much btc from all the old sites to have this happen again, and know everyone else has too.


[3 Points] None:

Thank you. We need people like you looking out for the greater good of the rest. He probably just concocted this site for a quick buck and leave


[2 Points] pronger:

if you are wondering how we might identify his involvement in any future marketplace, I have a solid solution for that

Do tell....


[2 Points] deepdot:

[I retract what i said] no reason to help you if you are not going to help yourself.


[2 Points] KnightOTS:

Just another stupid individual who saw what sheep did and thought they where smart enough to do the same. I dont understand the point of all these new markets. As long as Agora and S.R 2 are around people shouldnt even think about testing out these other crappy markets. Dont try to fix something if it isnt broken. Its obvious this idiot is gonna make another marketplace with a different name. Who would trust there btc to such a fool. If your gonna try to steal peoples btc atleast be somewhat smart with it, this guys just the definition of fail


[1 Points] sohhlz:

Other than that, though, Cantina is safe to use?

Wow, what a nightmare. Thanks for all of your work, especially notifying the users. Far too many people reuse their passwords and PINs.


[1 Points] InfinitelyOutThere:

This has been added to my mega thread :)

Good shit!

~infinite


[-1 Points] None:

[deleted]


[-1 Points] Mr_Everidge:

tl dr


[-2 Points] None:

[deleted]


[-3 Points] None:

[deleted]


[-9 Points] None:

[deleted]